Beat the bots with proof of work
This form is protected from bot submissions. The default form action is set to https://httpbin.org/delay/30 which will make the bot wait for 30 seconds for a response by default (if JS isn't active).
Once submitted the form runs a proof of work algorithm that generates a nonce with the form values (this can be validated on the server if need be). Post exercise, all forms are then validated as follows:
- Time-to-submission is checked to be lower than a threshold (1000ms) since bots tend to submit forms immediately
- Input items with the
data-protected-inputattributes need to be interacted with (typing/pasting/etc) instead of having their value set programatically - The presumably empty honeypot field (which is usually hidden with CSS) is checked for content
This way, even if bots fail a suspicion test, they still have to perform proof of work, then get rewarded with a nice long wait.
This is not meant to protect against a focussed attack. It'll just work against 99% of existing spambots.