How to prevent spam using vue and laravel?

Question

This is purely a theoretical/subjective question about vue and laravel.

I need to prevent spamming on public forms/inputs using vue and laravel i.e the forms which are available publically before user actually logs in to the application such sign up form (especially), search forms etc.

As per my knowledge, vue works on virtual DOM and spam bots also crawl on DOM but don't know if they are capable of crawling on virtual DOM. There are number of questions I am being encountered.

• Can spam bots abuse vue elements ?
• Will laravel's primitive csrf protection be enough ?
• Will it be feasible to implement HoneyPot technique to filter out spam requests ?

I sincerely need your views/opinions/advice/suggestions in this matter.

Answer 1

Can spam bots abuse vue elements?

Yes they can. Vue components are rendered into actual html the browser understands. Of course, someone could emulate input elements via other means, but this is a usability nightmare for accessibility. It means a large portion (this survey suggests 1/5th of visitors) cannot use your forms. I strongly recommend against using such a method.

Will laravel's primitive csrf protection be enough?

CSRF is not bot protection. CSRF is a protection mechanism that protects against cross-site forgery attacks. Or in other words: Users getting tricked into doing things on your site without their intent, by abusing a mechanic where browsers send authentication cookies with every request. A CSRF token is a non-guessable piece of information that is only available through other means, which allows you to ignore any requests with an invalid CSRF token.

Will it be feasible to implement HoneyPot technique to filter out spam requests?

No, not really. Honeypots work on the dumbest of bots. Any bots that are able to identify which elements are visible on the page, either through rendering the page, or by static analysis of CSS, are able to figure out which fields to fill out and which fields to leave alone.

Do you have other options?

You have two other options. As suggested by David Weldon in the comments, using recaptcha V3 will massively cut down on spam by scoring the trustworthyness of the submission, based on interactions with the site. You can ignore form submissions with too low of a score. You can use a visible or (partly) invisible recaptcha V2 if you want users to be able to bypass the recaptcha.

Your other option is to use a service like Akismet for Wordpress. Such a service relies on many sites and forms to send their form submissions to such a service, which allows them to identify form submissions that occur on a large percentage of sites that are most likely spam, and filter them out completely. You may be able to find a similar service with a wide enough reach to be effective.