Anti-spambot measure
Adding honeypot fields to forms that are accessible to users before they need to login is recommended by the Rails security best practices. The idea is that it's a hidden field that human users won't fill in, therefore if it is filled in, we can assume it was submitted by a bot and reject the submission.
Solution
Create a honeypot field partial to be included in forms that:
Is hidden to the user (positioning and opacity)
Do not use display: none as some bots know not to fill those in or just don't see them
Do not use "hidden" in the css name as some bots are smart enough to avoid that
Make sure auto-complete is disabled
To address accessibility, and browsers that have CSS disabled, add a description that informs folks that this is an anti-spambot field and it should be left empty.
Consider including multiple fields with different types, eg. text, email, text-area, phone, etc.
Add validation to check the honeypot field.
Don't forget tests!
Alternatively
Consider using the Rails honeypot-captcha library.
Describe the problem and the solution you'd like
Anti-spambot measure Adding honeypot fields to forms that are accessible to users before they need to login is recommended by the Rails security best practices. The idea is that it's a hidden field that human users won't fill in, therefore if it is filled in, we can assume it was submitted by a bot and reject the submission.
Solution
display: none
as some bots know not to fill those in or just don't see themAlternatively Consider using the Rails honeypot-captcha library.
Additional context
Good reading:
Priority
None