CodeIgniter 4 Honeypot Tutorial | Security From Robots

Share this Article

When we work with Forms in web application, we should consider the use cases of validations, security from robots, invalid scripts etc. Inside this article we will see a such security feature available in codeigniter 4 i.e Honeypot class.

Article gives you the explanation of CodeIgniter 4 Honeypot Tutorial. It’s a security feature to prevent forms invalid request from bots.

This will be very interesting to learn into a great depth. We will start from it’s configurations to its complete usage.

Note*: For this article, CodeIgniter v4.1 setup has been installed. May be when you are seeing, version will be updated. CodeIgniter 4.x still is in development mode.

Let’s get started.


Download & Install CodeIgniter 4 Setup

We need to download & install CodeIgniter 4 application setup to system. To set application we have multiple options to proceed. Here are the following ways to download and install CodeIgniter 4 –

  • Manual Download
  • Composer Installation
  • Clone Github repository of CodeIgniter 4

Complete introduction of CodeIgniter 4 basics – Click here to go. After going through this article you can easily download & install setup.

Here is the command to install via composer –

$ composer create-project codeigniter4/appstarter codeigniter-4

Assuming you have successfully installed application into your local system.


Settings Environment Variables

When we install CodeIgniter 4, we have env file at root. To use the environment variables means using variables at global scope we need to do env to .env

Open project in terminal

$ cp env .env

Above command will create a copy of env file to .env file. Now we are ready to use environment variables.

CodeIgniter starts up in production mode by default. Let’s do it in development mode. So that while working if we get any error then error will show up.

# CI_ENVIRONMENT = production

// Do it to 

CI_ENVIRONMENT = development

Now application is in development mode.


What is Honeypot in CodeIgniter ?

Honeypot Class makes it possible to determine when Bot make request using form in Codeigniter 4 project.

The feature of this class can be enabled by ‘/app/Config/Filters.php‘ file of CodeIgniter 4 application. It attaches a hidden field in every form inside application automatically.

This hidden field is not visible to users but accessible to Bots. So when ever this field’s value is not empty then application throw ”HoneypotException” and crash the webpage to abort request made by Bot and prevents application from spam.


Honeypot Security Configuration

Go into project setup and open /app/Config/Honeypot.php. It will be a class file where we configure honeypot usage settings.

Also we have the best alternative way to go and configure the same settings into .env file. Probably in your setup you should have a env file. To use it in application make it as .env. adding (dot) into name.

Application Environment Settings

$ cp env .env

Open .env file, Initially we will see like this with # symbol. This # symbol indicates the code is currently not in use (commented).

# honeypot.hidden = 'true'
# honeypot.label = 'Fill This Field'
# honeypot.name = 'honeypot'
# honeypot.template = '<label>{label}</label><input type="text" name="{name}" value=""/>'
# honeypot.container = '<div style="display:none">{template}</div>'

To use it in application, we need to remove # symbol.

The same settings we can find inside /app/Config/Honeypot.php

<?php

namespace Config;

use CodeIgniter\Config\BaseConfig;

class Honeypot extends BaseConfig
{
	/**
	 * Makes Honeypot visible or not to human
	 *
	 * @var boolean
	 */
	public $hidden = true;

	/**
	 * Honeypot Label Content
	 *
	 * @var string
	 */
	public $label = 'Fill This Field';

	/**
	 * Honeypot Field Name
	 *
	 * @var string
	 */
	public $name = 'honeypot';

	/**
	 * Honeypot HTML Template
	 *
	 * @var string
	 */
	public $template = '<label>{label}</label><input type="text" name="{name}" value=""/>';

	/**
	 * Honeypot container
	 *
	 * @var string
	 */
	public $container = '<div style="display:none">{template}</div>';
}

Enable Honeypot Feature in Application

To enable this security settings, we need to open Filters.php file /app/Config.

We can see we have two sections ($aliases, $globals) where honeypot is configured.

public $aliases = [
   'csrf' => CSRF::class,
    'toolbar' => DebugToolbar::class,
    'honeypot' => Honeypot::class,
];

This piece of code is only to load and give it a alias name to use Honeypot class (use CodeIgniter\Filters\Honeypot) over the application. It’s default class provided in CodeIgniter 4 application.

The main focus over enabling this feature. So to enable that, we need to update $globals variable. $globals variables is available globally to entire application.

public $globals = [
      'before' => [
          'honeypot',
         // 'csrf',
      ],
      'after' => [
         'toolbar',
         'honeypot',
      ],
];

We have removed comment from honeypot. Now, application is ready to use it.


Form Processing with Honeypot Template

Let’s assume we have a any form inside application. I am considering a simple form in which we have two input like for name and an email address.

<form action="<?= site_url('submit-data') ?>" method="post">
  <p>
     Name: <input type="text" name="name">
  </p>
  <p>
     Email: <input type="email" name="email">
  </p>
  <button type="submit">Submit</button>
</form>
       

Create a Route

Open Routes.php from /app/Config/Routes.php. Add this piece of code into it.

$routes->post("submit-data", function(){
     print_r($this->request->getVar());
});

Submitting form with Name & Email value

We can see we have a honeypot variable which haven’t defined inside HTML but we are accessing. It is because when we enable Honeypot security feature, it adds a hidden HTML tag for this input.

<div style="display:none">
  <label>Fill This Field</label>
  <input type="text" name="honeypot" value="">
</div>
  

How Form Protected From Bots?

When end users submit any form. Honeypot template variable, it will give always an empty value at server. Because it’s a hidden field which is not visible to end users and can’t be filled.

But when this form will be submitted by any bot then they process the this hidden field as well with a value. Bots reads code and process it to the server.

At server if we access any value inside input field with name honeypot it means form has been submitted by bot and then honeypot throws an exception and crashes request.

We hope this article helped you to learn CodeIgniter 4 Honeypot Tutorial | Security From Robots in a very detailed way.

If you liked this article, then please subscribe to our YouTube Channel for PHP & it’s framework, WordPress, Node Js video tutorials. You can also find us on Twitter and Facebook.

Find More on CodeIgniter 4 here

Leave a Comment