Millions of (poorly coded) bots relentlessly crawl the web to detect and spew junk content into any form they find. The go-to countermeasure is to force everyone to complete a Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA). CAPTCHAs are those annoying user-hostile tests where you type in skewed letters or identify objects in photos. They require cultural familiarity, introduce accessibility barriers, and waste everyone’s time. Instead of using a CAPTCHA, you can detect and block many bot submissions using completely unobtrusive form validation methods.
The methods I’ll discuss in this article help identify whether the form was submitted via a standards-compatible modern web browser. They’re mini web standards compliance tests that don’t rely on the user doing anything but using a web browser of their choice. It won’t help (much) with forms submitted via browser automation, and they'll only delay bots written specifically to target your website.
Fortunately, the vast majority of comments are still submitted via scripted simpleton bots. They’re much faster and more economical than puppeteering a real web browser into spewing spam across the web.