Honeypot Fields. The Simplest Way to Stop Form Spam.

March 8, 2026 | Kyle Miller | Members Only

security web-development pragmatism
CAPTCHAs annoy real users. Honeypot fields catch bots without anyone noticing. Sometimes the simplest solution wins.

Your contact form gets 200 spam submissions a day. So you add reCAPTCHA. Spam drops. But so do real submissions. People hate clicking on crosswalks and traffic lights. Some give up entirely.

There’s a simpler approach. Add a hidden form field. Hide it with CSS so real users never see it and never fill it in. Bots don’t render CSS. They see a form field and fill it in automatically.

On the server side, check that hidden field. If it has a value, it’s a bot. Reject the submission silently. Don’t even return an error. Just drop it.

Implementation takes about ten minutes. Add an input field. Give it a name that sounds real, like website or company. Hide it with display: none or position it off-screen with CSS. Check it server-side before processing the form.

It won’t stop sophisticated bots that render JavaScript and detect hidden fields. For those you’ll need additional layers. But for the vast majority of automated spam, a hidden input field is enough.

Not every problem needs a complex solution.

This article is for members only

Join CTOConnect for $99/month to get access to all episodes, members-only articles, and live office hours.

Start Your 30-Day Trial Log In