Honeypot Captcha

The simplest way to add honeypot captchas in your Rails forms.

Honeypot captchas work off the premise that you can present different form fields to a spam bot than you do to a real user. Spam bots will typically try to fill all fields in a form and will not take into account CSS styles.

We add bogus fields to a form and then check to see if those fields are submitted with values. If they are, we assume that we encountered a spam bot.

Requirements

  • Rails >= 2.3.8

Installation

In your Gemfile, simply add

gem 'honeypot-captcha'

Usage

I've tried to make it pretty simple to add a honeypot captcha, but I'm open to any suggestions you may have. By default, create and update actions are protected. For other actions, see below.

form_for

Simply specify that the form has a honeypot in the HTML options hash:

<%= form_for Comment.new, :html => { :honeypot => true } do |form| -%>
  ...
<% end -%>

form_tag with block

Simply specify that the form has a honeypot in the options hash:

<%= form_tag comments_path, :honeypot => true do -%>
  ...
<% end -%>

form_tag without block

Simply specify that the form has a honeypot in the options hash:

<%= form_tag comments_path, :honeypot => true -%>
  ...
</form>

simple_form_for

Simply specify that the form has a honeypot in the HTML options hash:

<%= simple_form_for Comment.new, :html => { :honeypot => true } do |form| -%>
  ...
<% end -%>

Protection for actions other than create and update

If you are submitting a form to a non-RESTful action and require honeypot protection, simply add the before filter for that action in your controller. For example:

class NewsletterController < ApplicationController
  prepend_before_action :protect_from_spam, :only => [:subscribe]
  ...
end

Customizing the honeypot fields

Override the honeypot_fields method within ApplicationController to add your own custom field names and values. For example:

def honeypot_fields
  {
    :my_custom_comment_body => 'Do not fill in this field, sucka!',
    :another_thingy => 'Really... do not fill out!'
  }
end

NOTE: honeypot_fields hash keys are used at the beginning of the generated HTML id attributes. The HTML 4.01 spec states that ids must start with a letter ([A-Za-z]), so be aware of this when creating the hash keys. HTML5 is much less strict.

Override the honeypot_string method within ApplicationController to disguise the string that will be included in the honeypot name. For example:

def honeypot_string
  'im-not-a-honeypot-at-all'
end

Override the honeypot_style_class method within ApplicationController to provide a non-inline CSS class that will be applied to hide honeypot fields (if nil, the style will be applied inline). For example:

def honeypot_style_class
  'display-none'
end

... assigns an HTML class for styling purposes:

<div id="login_hp_1464171481" class="display-none">

... which can be styled by a CSS style within app/assets/stylesheets:

.display-none {
  display: none;
}

Note on Patches/Pull Requests

  • Fork the project.
  • Make your feature addition or bug fix.
  • Add tests for it. This is important so I don't break it in a future version unintentionally.
  • Commit, do not mess with rakefile, version, or history. (if you want to have your own version, that is fine but bump version in a commit by itself I can ignore when I pull)
  • Send me a pull request. Bonus points for topic branches.

Author

Created by Curtis Miller of Velocity Labs, a Ruby on Rails development company.

Collaborators

Contributors

Thank you to all contributors!

Copyright

Copyright (c) 2010-2019 Curtis Miller. See LICENSE for details.