README

Middleware to implement a honeypot spam prevention. This technique is based on creating a input field that should be invisible and left empty by real users but filled by most spam bots. The middleware check in the incoming requests whether this value exists and is empty (is a real user) or doesn't exist or has a value (is a bot) returning a 403 response.

Requirements

• PHP >= 7.2
• A PSR-7 http library
• A PSR-15 middleware dispatcher

Installation

This package is installable and autoloadable via Composer as middlewares/honeypot.

composer require middlewares/honeypot

Example

$dispatcher = new Dispatcher([
	new Middlewares\Honeypot()
]);

$response = $dispatcher->dispatch(new ServerRequest());

Usage

In your forms, you have to include a <input> element that will be used as trap:

<html>
    <head>
        <style type="text/css">
            input[name="hpt_name"] { display: none; }
        </style>
    </head>
    <body>
        <form method="POST">
            <!-- This is the honeypot -->
            <input type="text" name="hpt_name" aria-label="Please, do not fill this input">

            <label>
                User:
                <input type="text" name="username">
            </label>
            <label>
                Password:
                <input type="password" name="password">
            </label>
        </form>
    </body>
</html>

The middleware by default expect the input name is hpt_name but you can change it. Note also the css code that hide the honeypot, so users do not see anything, only robots. You may need to add some accesibility attributes like aria-label for screen readers.

//Check the default "htp_name" value
$honeypot = new Middlewares\Honeypot();

//Check other value, for example "nobots"
$honeypot = new Middlewares\Honeypot('nobots');

Optionally, you can provide a Psr\Http\Message\ResponseFactoryInterface as the second argument to create the error response (403) when spam is detected. If it's not defined, Middleware\Utils\Factory will be used to detect it automatically.

$responseFactory = new MyOwnResponseFactory();

$honeypot = new Middlewares\Honeypot('htp_name', $responseFactory);

Helpers

getField

This static method is provided to ease the creation of the input field, accepting two arguments: the input name and a label used for screen readers. If no name is provided, use the same name passed previously to the middleware.

Example:

<form method="POST">
    <?= Middlewares\Honeypot::getField('htp_name', 'Please, do not fill this input') ?>
    <label>
        User:
        <input type="text" name="username">
    </label>
    <label>
        Password:
        <input type="password" name="password">
    </label>
</form>

getHiddenField

This static method generates the input field just like getField() does, but adds inline CSS to hide the field directly. Note: This may be easier to detect for some bots. If you want to get creative with hiding the field, use getField() in combination with custom CSS (or JS).

<form method="POST">
    <?= Middlewares\Honeypot::getHiddenField() ?>
    <label>
        User:
        <input type="text" name="username">
    </label>
    <label>
        Password:
        <input type="password" name="password">
    </label>
</form>

Please see CHANGELOG for more information about recent changes and CONTRIBUTING for contributing details.

The MIT License (MIT). Please see LICENSE for more information.