How to Create Honeypot for Battling Form Spam in Laravel

Once your website goes live very soon you will start receiving spam from your website forms. Spambots write a computer program that just fills out your form with fake information. It is a headache for site owners to clean up this unwanted data and protect the database from such unnecessary records. This article is written for the people who built their applications using Laravel. We will study how one can protect their forms from spam in Laravel.

The user can add Google reCAPTCHA on their form which will test if the form values are filled by humans or not. But doing so, your users need to solve the puzzle before submitting a form. You can opt-out for puzzles using the latest version of Google reCAPTCHA. But it will display a reCAPTCHA icon to the bottom right corner of your website.

Most of the site owners do not like captchas. And if you hate captchas then keep a honeypot in your forms which would trap the spambots.

Mostly spambots are dumb we can say as they just fill up all your form fields. They are not aware of which form fields are actually in use for further process. We can take advantage of this scenario and add a dummy input field (honeypot) to our form. This hidden field should remain empty at the time of form submission. So while checking on the server-side if this hidden field is empty then it will be a valid form submission. And if it is not empty then it will be spam. Having said that, let’s take a look at how to create honeypots and protect website forms from spam.

Create Honeypot and Prevent Form from Spam

As I said a hidden field can fool the spambots and stop the form submission on the server-side. For this purpose, we are going to use the laravel-honeypot package. Using this package, a user can protect one or more forms easily. They don’t need to write server-side code for each form separately.

For package installation, open the terminal in your project root directory and run the command:

composer require spatie/laravel-honeypot

Upon package installation, publish the config file of package using the command:

php artisan vendor:publish --provider="Spatie\Honeypot\HoneypotServiceProvider" --tag=config

This command will add honeypot.php file under the config directory. You don’t need to modify the config file. Instead, in the .env file add the constant shown below.


Here I gave the name ‘honeypot_for_bots’ which will be the name of your hidden field. You can set any other name to this constant.

Next, register the global middleware which will protect all your forms from a single place.


protected $middleware = [
   // ...

That’s it! Now go to your form and add the honeypot to it by adding @honeypot in the form HTML. Your blade file will look something like below.

<form action="" method="post">
    <input type="text" name="fullname" placeholder="Full Name" />
    <input type="submit" name="submit" value="Submit" />
    {{ csrf_field() }}

Alternatively, you can use the x-honeypot in your Blade.

<form action="" method="post">
    <x-honeypot />
    <input type="text" name="fullname" placeholder="Full Name" />
    <input type="submit" name="submit" value="Submit" />
    {{ csrf_field() }}

You are done. Now if spambots are trying to send spam in your form, the package will discard the request. As a result, no more spam will end up in your database.

Related Articles

If you liked this article, then please subscribe to our YouTube Channel for video tutorials.

Leave a Reply

Your email address will not be published.