A honeypot field is a hidden form input that real people never see or fill in, but automated bots do. If your server gets a submission where that hidden field contains text, you know a bot filled it out, and you silently reject it. It's one of the simplest, most effective spam traps you can add to any web form, and it works without annoying your visitors with puzzles or checkboxes.
Content Table
How a honeypot field works
The honeypot technique borrows its name from security traps that lure attackers into a fake target. In form spam, the "trap" is a decoy input field. Most spam bots scan a page, find every input they can, and dump text into all of them to maximize their chances of getting a message through. They don't render the page like a browser does, so they can't tell which fields are hidden from human eyes.
Here's the flow:
-
You add an extra input to your form, often named something tempting like
website,url, oraddress. - You hide it visually so no real visitor ever sees or types in it.
- A human submits the form and leaves that field empty (because they never saw it).
- A bot fills it in, because it fills in everything.
- Your backend checks the field on submission. Empty = human, passes through. Filled = bot, gets rejected silently.
How to build a honeypot field
A honeypot has two parts: the hidden form field in your HTML, and a check on the server that processes the submission. Start with the markup:
<form action="/submit" method="post">
<label for="name">Name</label>
<input type="text" id="name" name="name">
<label for="email">Email</label>
<input type="email" id="email" name="email">
<!-- Honeypot field: hidden from humans -->
<div class="hp-field" aria-hidden="true">
<label for="website">Leave this field empty</label>
<input type="text" id="website" name="website" tabindex="-1" autocomplete="off">
</div>
<button type="submit">Send</button>
</form>
Notice a few deliberate choices in that hidden form field:
-
name="website"looks like a legitimate field a bot would want to fill. -
tabindex="-1"keeps keyboard users from tabbing into it by accident. -
autocomplete="off"stops browser autofill from dropping data into it (which would falsely flag a real person). -
aria-hidden="true"tells screen readers to skip it, so assistive tech users don't get confused.
On the server, the logic is short. In plain terms: if the
website
value is anything other than empty, drop the submission. The
form's action attribute
points to wherever this check runs, whether that's a script you wrote or a hosted form service.
type="hidden"
for the honeypot input. Bots specifically skip true hidden inputs because they expect those to hold values like tokens. A honeypot needs to look like a normal text field that's only hidden by CSS.
Hiding the field the right way
How you hide the field matters for accuracy. Some methods accidentally block real users or get spotted by smarter bots. Here are the common approaches compared:
| Method | How it hides | Trade-off |
|---|---|---|
display: none
|
Removes from layout entirely | Simple, but some bots now ignore display:none fields |
| Off-screen positioning |
position: absolute; left: -9999px
|
Harder for bots to detect, still invisible to humans |
opacity: 0
+ zero height
|
Renders but stays invisible and unclickable | Good middle ground, pair with pointer-events none |
A robust pattern combines off-screen positioning with accessibility attributes. The label text ("Leave this field empty") is a backup hint for the rare user who somehow sees it. Because your styling lives in an external stylesheet rather than inline, bots can't read the CSS by parsing the HTML alone, which makes the hidden form field harder to identify.
If you're building forms with text areas and other inputs alongside your honeypot, the same hiding rules apply across all of them. Our guide on improving forms with the HTML textarea element covers structuring those fields cleanly so your honeypot blends in naturally.
Honeypot vs CAPTCHA
Both fight bots, but they ask very different things of your visitors. A honeypot is invisible and frictionless; a CAPTCHA forces a person to prove they're human.
| Factor | Honeypot field | CAPTCHA |
|---|---|---|
| User effort | Zero, invisible | Solve a puzzle or click a box |
| Accessibility | No barrier when built right | Can frustrate screen reader users |
| Stops simple bots | Yes | Yes |
| Stops advanced bots | Sometimes | Better, especially modern versions |
The smart move is to start with a honeypot because it costs your real users nothing. Many teams only add a CAPTCHA like Cloudflare Turnstile as a second layer if spam slips through. Layering bot detection methods, honeypot plus rate limiting plus an optional CAPTCHA, beats relying on any single trick. For a fuller picture of locking down your endpoints, see our guide on securing form submissions.
Where honeypots fall short
A honeypot is a great first line, not a complete shield. Knowing its limits keeps your expectations realistic:
- Targeted spam bots adapt. A bot written specifically for your site can learn to skip the honeypot once its operator notices submissions failing.
-
Browser autofill false positives.
If you forget
autocomplete="off", a password manager or autofill might populate the trap field for a real user and get them blocked. - It won't stop human spammers. People paid to fill out forms by hand see the real fields and leave the hidden one alone, just like any visitor.
- It does nothing for flooding. A honeypot checks one field; it doesn't stop the same address hammering your form repeatedly. Pair it with rate limiting based on email or IP.
That's why effective form spam filtering uses a few methods together. A honeypot catches the broad, dumb bot traffic that makes up most spam, a cooldown window stops repeat floods, and a keyword blocklist catches obvious junk content. Each layer covers a gap the others leave open.
Turn on a honeypot field without writing a line of code
SendForm lets you flip on a hidden honeypot field that silently rejects bots, plus a keyword blocklist and built-in rate limiting, straight from your form's spam protection settings.
Set up spam protection →
Frequently asked questions
Not when built correctly. Add
aria-hidden="true"
to the wrapper and
tabindex="-1"
to the input so screen readers and keyboard users skip it entirely. Hide it with CSS rather than the hidden attribute. Done right, no real visitor, assistive tech or not, ever interacts with the field.
Pick a name that looks tempting to bots but isn't a real field on your form, like
website
,
url
,
phone2
, or
address
. Bots fill in fields that look standard. Avoid obvious names like
honeypot
or
spam-trap
, since smarter bots watch for those and skip them.
Because bots intentionally leave true hidden inputs alone, expecting them to carry security tokens or session data. The trick is a normal-looking text field that's only invisible through CSS. The bot sees a regular input and fills it, while a human never sees it at all.
For most low-to-medium traffic forms, a honeypot alone stops the bulk of automated spam without bothering anyone. High-value or heavily targeted forms may still need a CAPTCHA as a backup layer. The best approach starts with the frictionless honeypot and adds a CAPTCHA only if spam gets through.
It can, if you skip
autocomplete="off"
on the trap input. Browser autofill and password managers sometimes drop data into name- or address-like fields. Adding that attribute, plus a non-standard field name, keeps autofill from accidentally flagging a genuine visitor as a bot.