Closed SammySteiner closed 3 months ago
Thank you for working on this!
For
app/controllers
andapp/forms/users
, could we use the variablehoneypot
instead ofhp_field
, so that the field naming convention is consistent and the purpose of the field is spelled out? Without knowing in advance, I think it is hard to guess whathp
stands for in this context.
The guidance is not to have the name or id of the fields include the word honeypot
as some bots are programmed to ignore fields with that word in the name or id, which is why I went with hp_field
. Here are some alternatives:
trap_for_spambots
or something elseh_o_n_e_y_p_o_t
should provide some obfuscationapp/forms/users
which while a bit messy will contain or obfuscated name and the word honeypot in both forms and controllers. i.e. in the app/users/form:
attr_accessor :email, :hp_field
alias_attribute :honeypot_field, :hp_field
validates :honeypot_field, absence: true
in the controller:
honeypot_field = params[:users_forgot_password_form][:hp_field]
@form = Users::ForgotPasswordForm.new(email: email, honeypot_field: honeypot_field)
params.require(:users_reset_password_form).permit(:email, :code, :password, :hp_field)
Thoughts?
The guidance is not to have the name or id of the fields include the word
honeypot
as some bots are programmed to ignore fields with that word in the name or id, which is why I went withhp_field
.
Thank you for explaining. What about spamtrap
or spam_trap
? I also think hp
would be acceptable if we added comments everywhere it appeared to explain what it is.
The guidance is not to have the name or id of the fields include the word
honeypot
as some bots are programmed to ignore fields with that word in the name or id, which is why I went withhp_field
.Thank you for explaining. What about
spamtrap
orspam_trap
? I also thinkhp
would be acceptable if we added comments everywhere it appeared to explain what it is.
Sounds good, I went with spam_trap
Let me know if you think we should also rename the honeypot helper in the form builder to spam_trap? But I like that the honeypot method creates a spam trap 🤷
Sounds good, I went with
spam_trap
👍
Let me know if you think we should also rename the honeypot helper in the form builder to spam_trap? But I like that the honeypot method creates a spam trap 🤷
🤔 I don't feel strongly about it. I think that if it's named the same thing consistently, there's less mental translation that someone has to do as they navigate the code, but I also think we can always rename it in the future if we hear feedback that it is cumbersome.
Ticket
Changes
Context for reviewers
Added honeypot fields to publicly accessible forms to combat spam bots, following guidance from the rails security best practices doc .
Testing