• Stars
    star
    1,134
  • Rank 41,064 (Top 0.9 %)
  • Language
    PHP
  • License
    MIT License
  • Created almost 6 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Preventing spam submitted through forms

Preventing spam submitted through forms

Latest Version on Packagist Test Status Code Style Status Total Downloads

When adding a form to a public site, there's a risk that spam bots will try to submit it with fake values. Luckily, the majority of these bots are pretty dumb. You can thwart most of them by adding an invisible field to your form that should never contain a value when submitted. Such a field is called a honeypot. These spam bots will just fill all fields, including the honeypot.

When a submission comes in with a filled honeypot field, this package will discard that request. On top of that this package also checks how long it took to submit the form. This is done using a timestamp in another invisible field. If the form was submitted in a ridiculously short time, the anti spam will also be triggered.

After installing this package, all you need to do is to add the x-honeypot Blade component to your form.

<form method="POST">
    <x-honeypot />
    <input name="myField" type="text">
</form>

The package also supports manually passing the necessary values to your view layer, so you can easily add honeypot fields to your Inertia powered app.

Support us

We invest a lot of resources into creating best in class open source packages. You can support us by buying one of our paid products.

We highly appreciate you sending us a postcard from your hometown, mentioning which of our package(s) you are using. You'll find our address on our contact page. We publish all received postcards on our virtual postcard wall.

Video tutorial

In this video, which is part of the Mailcoach video course, you can see how the package can be installed and used.

Installation

You can install the package via composer:

composer require spatie/laravel-honeypot

Optionally, you can publish the config file of the package.

php artisan vendor:publish --provider="Spatie\Honeypot\HoneypotServiceProvider" --tag=honeypot-config

This is the content of the config file that will be published at config/honeypot.php:

use Spatie\Honeypot\SpamResponder\BlankPageResponder;

return [
    /*
     * Here you can specify name of the honeypot field. Any requests that submit a non-empty
     * value for this name will be discarded. Make sure this name does not
     * collide with a form field that is actually used.
     */
    'name_field_name' => env('HONEYPOT_NAME', 'my_name'),

    /*
     * When this is activated there will be a random string added
     * to the name_field_name. This improves the
     * protection against bots.
     */
    'randomize_name_field_name' => env('HONEYPOT_RANDOMIZE', true),

    /*
     * When this is activated, requests will be checked if
     * form is submitted faster than this amount of seconds
     */
    'valid_from_timestamp' => env('HONEYPOT_VALID_FROM_TIMESTAMP', true),
    
    /*
     * This field contains the name of a form field that will be used to verify
     * if the form wasn't submitted too quickly. Make sure this name does not
     * collide with a form field that is actually used.
     */
    'valid_from_field_name' => env('HONEYPOT_VALID_FROM', 'valid_from'),

    /*
     * If the form is submitted faster than this amount of seconds
     * the form submission will be considered invalid.
     */
    'amount_of_seconds' => env('HONEYPOT_SECONDS', 1),

    /*
     * This class is responsible for sending a response to requests that
     * are detected as being spammy. By default a blank page is shown.
     *
     * A valid responder is any class that implements
     * `Spatie\Honeypot\SpamResponder\SpamResponder`
     */
    'respond_to_spam_with' => BlankPageResponder::class,

    /*
     * This class is responsible for applying all protection
     * rules for a request. By default uses `request()`.
     *
     * It throws the `Spatie\Honeypot\ExceptionsSpamException` if the
     * request is flagged as spam, or returns void if it succeeds.
     */
    'spam_protection' => \Spatie\Honeypot\SpamProtection::class,

    /*
     * When activated, requests will be checked if honeypot fields are missing,
     * if so the request will be stamped as spam. Be careful! When using the
     * global middleware be sure to add honeypot fields to each form.
     */
    'honeypot_fields_required_for_all_forms' => false,

    /*
     * This switch determines if the honeypot protection should be activated.
     */
    'enabled' => env('HONEYPOT_ENABLED', true),
];

Usage

First, you must add the x-honeypot Blade component to any form you wish to protect.

<form method="POST" action="{{ route('contactForm.submit') }}")>
    <x-honeypot />
    <input name="myField" type="text">
</form>

Alternatively, you can use the @honeypot Blade directive:

<form method="POST" action="{{ route('contactForm.submit') }}")>
    @honeypot
    <input name="myField" type="text">
</form>

Using either the Blade component or directive will add two fields: my_name and valid_from_timestamp (you can change the names in the config file).

Next, you must use the Spatie\Honeypot\ProtectAgainstSpam middleware in the route that handles the form submission. This middleware will intercept any request that submits a non empty value for the key named my_name. It will also intercept the request if it is submitted faster than the encrypted timestamp that the package generated in valid_from_timestamp.

use App\Http\Controllers\ContactFormSubmissionController;
use Spatie\Honeypot\ProtectAgainstSpam;

Route::post('contact', [ContactFormSubmissionController::class, 'create'])->middleware(ProtectAgainstSpam::class);

If you want to integrate the Spatie\Honeypot\ProtectAgainstSpam middleware with Laravel's built in authentication routes, wrap the Auth::routes(); declaration with the appropriate middleware group (make sure to add the @honeypot directive to the authentication forms).

use Spatie\Honeypot\ProtectAgainstSpam;

Route::middleware(ProtectAgainstSpam::class)->group(function() {
    Auth::routes();
});

If your app has a lot of forms handled by many different controllers, you could opt to register it as global middleware.

// inside app\Http\Kernel.php

protected $middleware = [
   // ...
   \Spatie\Honeypot\ProtectAgainstSpam::class,
];

Usage in Inertia

When using Inertia you must manually pass the values used in the honeypot fields. Here's an example:

// in a controller
public function create(\Spatie\Honeypot\Honeypot $honeypot) 
{
    return inertia('contactform.show', [
        'honeypot' => $honeypot,
    ]);
}

Your front-end will get an honeypot object with these keys: enabled, nameFieldName, validFromFieldName, encryptedValidFrom.

Here's an example how these values could be rendered using Vue:

<div v-if="honeypot.enabled" :name="`${honeypot.nameFieldName}_wrap`" style="display:none;">
    <input type="text" v-model="form[honeypot.nameFieldName]" :name="honeypot.nameFieldName" :id="honeypot.nameFieldName" />
    <input type="text" v-model="form[honeypot.validFromFieldName]" :name="honeypot.validFromFieldName" />
</div>

And then in your Vue component, add these values to your form data:

props: ['honeypot'],

data() {
    return {
        form: this.$inertia.form({
            [this.honeypot.nameFieldName]: '',
            [this.honeypot.validFromFieldName]: this.honeypot.encryptedValidFrom,
        }),
    }
}

Usage in Livewire

You can use this package to prevent spam submission to forms powered by Livewire.

First, add the UsesSpamProtection trait to your Livewire component:

use Spatie\Honeypot\Http\Livewire\Concerns\UsesSpamProtection;

class YourComponent extends Component
{
    use UsesSpamProtection;

Next, declare a HoneypotData property and call protectAgainstSpam() in the method that handles form submissions:

use Spatie\Honeypot\Http\Livewire\Concerns\HoneypotData;

class YourComponent extends Component
{
    // ...
    
    public HoneypotData $extraFields;
    
    public function mount()
    {
        $this->extraFields = new HoneypotData();
    }
 
   
    public function submit(): void 
    {
        $this->protectAgainstSpam(); // if is spam, will abort the request
    
        User::create($request->all());
    }
}

Finally, use the x-honeypot in your Livewire Blade component:

<form method="POST" action="{{ route('contactForm.submit') }}")>
    <x-honeypot livewire-model="extraFields" />
    <input name="myField" type="text">
</form>

Disabling in testing

By default, any protected form that is submitted in faster than 1 second will be marked as spammy. When running end to end tests, which should run as fast as possible, you probably don't want this.

To disable all honeypots in code, you can set the enabled config value to false.

config()->set('honeypot.enabled', false)

Customizing the response

When a spammy submission is detected, the package will show a blank page by default. You can customize this behaviour by writing your own SpamResponse and specifying its fully qualified class name in the respond_to_spam_with key of the honeypot config file.

A valid SpamResponse is any class that implements the Spatie\Honeypot\SpamResponder\SpamResponder interface. This is what that interface looks like:

namespace Spatie\Honeypot\SpamResponder;

use Closure;
use Illuminate\Http\Request;

interface SpamResponder
{
    public function respond(Request $request, Closure $next);
}

Even though a spam responder's primary purpose is to respond to spammy requests, you could do other stuff there as well. You could for instance use the properties on $request to determine the source of the spam (maybe all requests come from the same IP) and put some logic to block that source altogether.

If the package wrongly determined that the request is spammy, you can generate the default response by passing the $request to the $next closure, like you would in a middleware.

// in your spam responder
$regularResponse = $next($request)

Customizing the generated honeypot fields

To customize output generated, you can publish the honeypot view with:

php artisan vendor:publish --provider="Spatie\Honeypot\HoneypotServiceProvider" --tag=honeypot-views

The view will be placed in resources/views/vendor/honeypot/honeypotFormFields.blade.php. This is the default content:

@if($enabled)
    <div id="{{ $nameFieldName }}_wrap" style="display:none;">
        <input name="{{ $nameFieldName }}" type="text" value="" id="{{ $nameFieldName }}">
        <input name="{{ $validFromFieldName }}" type="text" value="{{ $encryptedValidFrom }}">
    </div>
@endif

Events fired

Whenever spam is detected, the Spatie\Honeypot\Events\SpamDetectedEvent event is fired. It has the $request as a public property.

Testing

composer test

Changelog

Please see CHANGELOG for more information on what has changed recently.

Alternatives

If you need stronger spam protection, consider using Google ReCaptcha or Akismet.

Contributing

Please see CONTRIBUTING for details.

Security

If you've found a bug regarding security please mail [email protected] instead of using the issue tracker.

Credits

This package was inspired by the Honeypot package by Maksim Surguy.

License

The MIT License (MIT). Please see License File for more information.

More Repositories

1

laravel-permission

Associate users with roles and permissions
PHP
11,600
star
2

laravel-medialibrary

Associate files with Eloquent models
PHP
5,427
star
3

laravel-backup

A package to backup your Laravel app
PHP
5,337
star
4

laravel-activitylog

Log activity inside your Laravel app
PHP
5,316
star
5

browsershot

Convert HTML to an image, PDF or string
PHP
4,434
star
6

laravel-query-builder

Easily build Eloquent queries from API requests
PHP
3,675
star
7

laravel-analytics

A Laravel package to retrieve pageviews and other data from Google Analytics
PHP
2,948
star
8

image-optimizer

Easily optimize images using PHP
PHP
2,450
star
9

async

Easily run code asynchronously
PHP
2,401
star
10

crawler

An easy to use, powerful crawler implemented in PHP. Can execute Javascript.
PHP
2,400
star
11

laravel-responsecache

Speed up a Laravel app by caching the entire response
PHP
2,248
star
12

data-transfer-object

Data transfer objects with batteries included
PHP
2,220
star
13

laravel-translatable

Making Eloquent models translatable
PHP
2,030
star
14

laravel-sitemap

Create and generate sitemaps with ease
PHP
2,011
star
15

dashboard.spatie.be

The source code of dashboard.spatie.be
PHP
1,940
star
16

laravel-fractal

An easy to use Fractal wrapper built for Laravel and Lumen applications
PHP
1,845
star
17

package-skeleton-laravel

A skeleton repository for Spatie's Laravel Packages
PHP
1,714
star
18

period

Complex period comparisons
PHP
1,618
star
19

laravel-collection-macros

A set of useful Laravel collection macros
PHP
1,602
star
20

laravel-newsletter

Manage Mailcoach and MailChimp newsletters in Laravel
PHP
1,570
star
21

checklist-going-live

The checklist that is used when a project is going live
1,489
star
22

laravel-tags

Add tags and taggable behaviour to your Laravel app
PHP
1,454
star
23

opening-hours

Query and format a set of opening hours
PHP
1,340
star
24

schema-org

A fluent builder Schema.org types and ld+json generator
PHP
1,337
star
25

eloquent-sortable

Sortable behaviour for Eloquent models
PHP
1,268
star
26

laravel-cookie-consent

Make your Laravel app comply with the crazy EU cookie law
PHP
1,268
star
27

laravel-data

Powerful data objects for Laravel
PHP
1,240
star
28

laravel-sluggable

An opinionated package to create slugs for Eloquent models
PHP
1,236
star
29

laravel-settings

Store strongly typed application settings
PHP
1,218
star
30

laravel-searchable

Pragmatically search through models and other sources
PHP
1,217
star
31

pdf-to-image

Convert a pdf to an image
PHP
1,207
star
32

laravel-mail-preview

A mail driver to quickly preview mail
PHP
1,171
star
33

once

A magic memoization function
PHP
1,159
star
34

laravel-image-optimizer

Optimize images in your Laravel app
PHP
1,121
star
35

laravel-google-calendar

Manage events on a Google Calendar
PHP
1,119
star
36

regex

A sane interface for php's built in preg_* functions
PHP
1,097
star
37

laravel-multitenancy

Make your Laravel app usable by multiple tenants
PHP
1,092
star
38

image

Manipulate images with an expressive API
PHP
1,064
star
39

array-to-xml

A simple class to convert an array to xml
PHP
1,056
star
40

laravel-uptime-monitor

A powerful and easy to configure uptime and ssl monitor
PHP
1,020
star
41

db-dumper

Dump the contents of a database
PHP
987
star
42

laravel-webhook-client

Receive webhooks in Laravel apps
PHP
985
star
43

laravel-model-states

State support for models
PHP
968
star
44

laravel-view-models

View models in Laravel
PHP
963
star
45

simple-excel

Read and write simple Excel and CSV files
PHP
930
star
46

laravel-web-tinker

Tinker in your browser
JavaScript
925
star
47

laravel-webhook-server

Send webhooks from Laravel apps
PHP
920
star
48

calendar-links

Generate add to calendar links for Google, iCal and other calendar systems
PHP
904
star
49

laravel-db-snapshots

Quickly dump and load databases
PHP
889
star
50

laravel-mix-purgecss

Zero-config Purgecss for Laravel Mix
JavaScript
887
star
51

laravel-schemaless-attributes

Add schemaless attributes to Eloquent models
PHP
880
star
52

blender

The Laravel template used for our CMS like projects
PHP
879
star
53

fork

A lightweight solution for running code concurrently in PHP
PHP
863
star
54

laravel-schedule-monitor

Monitor scheduled tasks in a Laravel app
PHP
859
star
55

laravel-menu

Html menu generator for Laravel
PHP
854
star
56

phpunit-watcher

A tool to automatically rerun PHPUnit tests when source code changes
PHP
831
star
57

laravel-failed-job-monitor

Get notified when a queued job fails
PHP
826
star
58

laravel-model-status

Easily add statuses to your models
PHP
818
star
59

form-backend-validation

An easy way to validate forms using back end logic
JavaScript
800
star
60

temporary-directory

A simple class to work with a temporary directory
PHP
796
star
61

laravel-feed

Easily generate RSS feeds
PHP
789
star
62

laravel-event-sourcing

The easiest way to get started with event sourcing in Laravel
PHP
772
star
63

enum

Strongly typed enums in PHP supporting autocompletion and refactoring
PHP
769
star
64

laravel-server-monitor

Don't let your servers just melt down
PHP
769
star
65

laravel-package-tools

Tools for creating Laravel packages
PHP
767
star
66

laravel-tail

An artisan command to tail your application logs
PHP
726
star
67

valuestore

Easily store some values
PHP
722
star
68

laravel-health

Check the health of your Laravel app
PHP
719
star
69

geocoder

Geocode addresses to coordinates
PHP
709
star
70

pdf-to-text

Extract text from a pdf
PHP
707
star
71

ssh

A lightweight package to execute commands over an SSH connection
PHP
696
star
72

menu

Html menu generator
PHP
688
star
73

laravel-url-signer

Create and validate signed URLs with a limited lifetime
PHP
685
star
74

ssl-certificate

A class to validate SSL certificates
PHP
675
star
75

laravel-route-attributes

Use PHP 8 attributes to register routes in a Laravel app
PHP
674
star
76

laravel-validation-rules

A set of useful Laravel validation rules
PHP
663
star
77

laravel-pdf

Create PDF files in Laravel apps
PHP
661
star
78

url

Parse, build and manipulate URL's
PHP
659
star
79

laravel-html

Painless html generation
PHP
654
star
80

laravel-event-projector

Event sourcing for Artisans ๐Ÿ“ฝ
PHP
642
star
81

laravel-server-side-rendering

Server side rendering JavaScript in your Laravel application
PHP
636
star
82

vue-tabs-component

An easy way to display tabs with Vue
JavaScript
626
star
83

macroable

A trait to dynamically add methods to a class
PHP
621
star
84

laravel-blade-javascript

A Blade directive to export variables to JavaScript
PHP
618
star
85

laravel-onboard

A Laravel package to help track user onboarding steps
PHP
616
star
86

laravel-csp

Set content security policy headers in a Laravel app
PHP
614
star
87

laravel-cors

Send CORS headers in a Laravel application
PHP
607
star
88

laravel-short-schedule

Schedule artisan commands to run at a sub-minute frequency
PHP
607
star
89

laravel-translation-loader

Store your translations in the database or other sources
PHP
602
star
90

vue-table-component

A straight to the point Vue component to display tables
JavaScript
591
star
91

activitylog

A very simple activity logger to monitor the users of your website or application
PHP
586
star
92

phpunit-snapshot-assertions

A way to test without writing actual testย cases
PHP
584
star
93

http-status-check

CLI tool to crawl a website and check HTTP status codes
PHP
584
star
94

laravel-queueable-action

Queueable actions in Laravel
PHP
584
star
95

ray

Debug with Ray to fix problems faster
PHP
574
star
96

freek.dev

The sourcecode of freek.dev
PHP
571
star
97

server-side-rendering

Server side rendering JavaScript in a PHP application
PHP
568
star
98

string

String handling evolved
PHP
558
star
99

laravel-http-logger

Log HTTP requests in Laravel applications
PHP
538
star
100

laravel-blade-x

Use custom HTML components in your Blade views
PHP
533
star