Every public form on my products carries a honeypot field: invisible to humans, filled by dumb bots, and any submission with it filled gets dropped. Standard stuff.
The first version named the honeypot field company. Reasonable on a real estate product where no form asks for a company, and a naturally tempting name for a bot.
It was also a naturally tempting name for Chrome.
Browser autofill happily filled the hidden company field for real humans who had a company saved in their autofill profile. Those submissions were silently dropped as bots. Real buyers, real showing requests, gone, with nothing in the logs, because a dropped honeypot submission was designed to be silent.
Two fixes, both now standing rules written into the factory template every product forks:
- Honeypot fields use meaningless names (like
llx_check) that no autofill engine will ever recognize. Never real-word names. - Every tripped honeypot logs a warning, so drops are visible in the deploy logs. Silent security is unauditable security. If the honeypot starts catching a suspicious volume of "bots," I want to see the curve, because last time the curve was customers.
The general lesson: any filter that silently discards input needs observability on what it discards. The failure mode of a quiet filter is not letting bad traffic through. It is eating good traffic with no evidence.