A honeypot is a deliberate decoy: a fake system, server or form field designed to look tempting to an attacker or bot, while doing nothing of real value. The whole point is misdirection. Anyone or anything that interacts with the honeypot has revealed itself, because a legitimate user would have no reason to touch it.

The most common everyday example is the spam trap on a contact form. You add a hidden field that real visitors never see, so they leave it blank, but automated bots fill in every field they detect. Any submission with that field completed is almost certainly a bot and gets thrown away. It is a quieter alternative to a CAPTCHA, because it asks nothing of real people. On a bigger scale, security teams run decoy servers to watch how attackers behave, which is the same instinct an ethical hacker studies from the other side.

A honeypot does not replace real defences. It is an early warning sign and a filter, not a wall, and it works best alongside rate limiting and proper access control. The decoy-server version is a favourite of security researchers. They stand up a fake database that looks juicy, then sit back and record every command an intruder types, learning new attack patterns without putting anything real on the line. The same idea, scaled down to a single hidden field, is what quietly keeps most contact forms free of junk.

At TopDevs we use honeypot fields on public forms to keep spam out without forcing puzzles on your visitors, and we treat any honeypot hit as a useful signal about who is poking at a client’s site.