You add "hidden" inputs to your HTML form that are named like "First Name" or "Family Name". Bots will fill them out. You will either expect them to be empty or you fill by JavaScript with sth you expect. It's of course reverse-engineerable, but does the trick.

▲

alexjurkiewicz 8 hours ago | parent | next [-]

Doesn't that break password manager autofill?

▲

grey-area 8 hours ago | parent | prev | next [-]

Thanks, I’ve seen scripted attacks bypass this sort of hidden input unfortunately (perhaps human assisted or perhaps just ignoring hidden fields).

▲

jaggederest 7 hours ago | parent | next [-]

They often do actually ignore truly hidden fields (input type=hidden) but if you put them "behind" an element with css, or extremely small but still rendered, many get caught. It's similar to the cheeky prompt injection attacks people did/do against LLMs.

	▲	grey-area 6 hours ago \| parent [-]
		Thanks.

▲

mads_quist 8 hours ago | parent | prev [-]

Sure, it's really basic of course.

▲

bevr1337 8 hours ago | parent | prev | next [-]

Do you test this against password managers? Seems like this approach could generate false positives

▲

imhoguy 6 hours ago | parent | prev [-]

Watch out, it may break accessibility of your service. If somebody fills these fields I would add extra verification e.g. accessible CAPTCHA.