Avoid forms spamming in Laravel 9
Having a public site with forms can become a headache if we do not prevent spam bots from submitting fake information to our application. Luckily, there is a simple and effective way to defer some of the spam using honeypots. This technique is based on creating a hidden input field that should be left empty by the real users of the application but will most likely be filled out by spam bots.
The package we want to share with you creates a hidden DIV with two fields in it, the honeypot field and encrypted timestamp that marks the moment when the page was served to the user. When the form containing these inputs invisible to the user is submitted to your application, a custom validator that comes with the package checks that the honeypot field is empty and also checks the time it took for the user to fill out the form. If the form was filled out too quickly or if there was a value put in the honeypot field, this submission is most likely from a spam bot.
Installation
To get started, use Composer package manager to add the package to your project's dependencies.
composer require spatie/laravel-honeypot
Optionally, you can publish the config file of the package.
php artisan vendor:publish --provider="Spatie\\Honeypot\\HoneypotServiceProvider" --tag=honeypot-config
It will create a configuration file where you will be able to adjust some variables to your project needs. It will be located in config/honeypot.php.
Generating the honeypot
First, you will need to add the honeypot directive in the form where you want to generate it.
<form method="POST" action="...">
@honeypot
<input type="text" name="my_normal_input" value="">
...
</form>
It will automatically add two fields to the form. You can configure these input names in the configuration file.
Then, you must use the ProtectAgainstSpam middleware in the routes that handle the form submission. This middleware will intercept any request that get caught in the honeypot. It will also intercept the request if it is submitted faster than the configured amount of time.
use Spatie\\Honeypot\\ProtectAgainstSpam;
Route::middleware(ProtectAgainstSpam::class)->group(function() {
// Routes protected with honeypot technique
});
Alternatively, you can enable the honeypot validation on all your application forms adding it to the HTTP kernel middleware for web routes:
// HTTP Kernel: app/Http/Kernel.php
protected $middlewareGroups = [
'web' => [
...
\\Spatie\\Honeypot\\ProtectAgainstSpam::class,
...
],
'api' => [
...
],
];
Customizing the honeypot
Besides the configuration file, you can publish and customize generated output.
php artisan vendor:publish --provider="Spatie\\Honeypot\\HoneypotServiceProvider" --tag=honeypot-views
The view will be placed in resources/views/vendor/honeypot/honeypotFormFields.blade.php.
@if($enabled)
<div id="{{ $nameFieldName }}_wrap" style="display:none;">
<input name="{{ $nameFieldName }}" type="text" value="" id="{{ $nameFieldName }}">
<input name="{{ $validFromFieldName }}" type="text" value="{{ $encryptedValidFrom }}">
</div>
@endif
And all generated honeypots will follow the structure defined in the file above.
Conclusion
We highly recommend using this easy and straightforward technique to avoid receiving spam, fake information and unnecessary load on the services due to questionable bots activity. With correct configuration, legit users will not even notice the use of honeypots.
0 Comments