Michael Mines / war stories

The honeypot that caught humans

Happened July 9, 2026

Every public form on my products carries a honeypot field: invisible to humans, filled by dumb bots, and any submission with it filled gets dropped. Standard stuff.

The first version named the honeypot field company. Reasonable on a real estate product where no form asks for a company, and a naturally tempting name for a bot.

It was also a naturally tempting name for Chrome.

Browser autofill happily filled the hidden company field for real humans who had a company saved in their autofill profile. Those submissions were silently dropped as bots. Real buyers, real showing requests, gone, with nothing in the logs, because a dropped honeypot submission was designed to be silent.

Two fixes, both now standing rules written into the factory template every product forks:

  1. Honeypot fields use meaningless names (like llx_check) that no autofill engine will ever recognize. Never real-word names.
  2. Every tripped honeypot logs a warning, so drops are visible in the deploy logs. Silent security is unauditable security. If the honeypot starts catching a suspicious volume of "bots," I want to see the curve, because last time the curve was customers.

The general lesson: any filter that silently discards input needs observability on what it discards. The failure mode of a quiet filter is not letting bad traffic through. It is eating good traffic with no evidence.