KeSearch HoneyPot

Extension key: ke_search_honeypot
Package name: davidkohr/ke-search-honeypot
Version: main
Language: en
Author: David Kohr
License: This document is published under the Creative Commons BY 4.0 license.
Rendered: Mon, 08 Dec 2025 09:09:43 +0000

TYPO3

The content of this document is related to TYPO3 CMS, a GNU/GPL CMS/Framework available from typo3.org .

Table of Contents:

Introduction

What does it do?

KeSearch HoneyPot provides simple protection against spammers and bots in ke_search search queries.

A honeypot field is an invisible form field that is hidden from real users but visible to spam bots. If this field is filled out, the search request is rejected with a 403 Forbidden response.

Features

Simple honeypot field for ke_search forms via Fluid Partial
Automatic spam bot detection via PSR-15 Middleware
403 Forbidden response for spam attempts
Works out of the box - just install and add the partial to your template
Compatible with TYPO3 11 LTS, 12 LTS, 13 LTS and 14

Screenshots

The extension works silently in the background. There are no visible changes for legitimate users. Spam bots filling out the hidden honeypot field will receive a 403 Forbidden response.

Support

For issues, questions or feature requests please use the GitHub issue tracker.

Installation

Requirements

TYPO3 11.5 LTS, 12 LTS, 13 LTS or 14
PHP 8.1 or higher
ke_search extension (version 4.0 or higher)

Installation with Composer

The recommended way to install the extension is via Composer:

composer require davidkohr/ke-search-honeypot

Installation via Extension Manager

Go to the Extension Manager in the TYPO3 Backend
Search for "ke_search_honeypot"
Click on "Install"

Activation

After installation:

Clear all TYPO3 caches
Add the honeypot partial to your ke_search form template
Configure the RouteEnhancer (see below)

Quick Start

1. Add Partial to Template

Edit your ke_search form template and add:

<f:render partial="honeypot" />

Example complete search form:

<f:form name="searchForm" method="get" 
        pageUid="{searchPage}" 
        id="kesearch-form">
    
    <f:form.textfield 
        name="tx_kesearch_pi1[sword]" 
        value="{searchParams.sword}" 
        placeholder="Suchbegriff eingeben..." />
    
    <f:render partial="honeypot" />
    
    <f:form.submit value="Suchen" />
</f:form>

2. Configure RouteEnhancer

Add to config/sites/<your-site>/config.yaml:

routeEnhancers:
  KeSearch:
    type: Plugin
    namespace: tx_kesearch_pi1
    routePath: '/{sortByField}/{sortByDir}/{resetFilters}/{page}/{sword}/{__hp}'
    _arguments:
      sortByField: sortByField
      sortByDir: sortByDir
      resetFilters: resetFilters
      page: page
      sword: sword
    defaults:
      __hp: ''
      sortByField: ''
      sortByDir: ''
      resetFilters: ''
      page: '0'
      sword: ''

3. Clear Caches

# Clear all caches
vendor/bin/typo3 cache:flush

# Or in Backend: Admin Tools > Maintenance > Flush TYPO3 and PHP Cache

4. Test

Search for a term on your search page
Check that the URL contains the empty honeypot parameter: /search/.../searchterm//
Navigate through result pages - URLs should maintain the // at the end

Example:

<form action="..." method="post">
    <input type="text" name="tx_kesearch_pi1[sword]" />
    <input type="hidden" name="tx_kesearch_pi1[page]" value="{page}" />
    
    <f:render partial="honeypot" />
    
    <button type="submit">Search</button>
</form>

That's it! The honeypot field is now active.

Verification

To verify the installation is working:

View the source code of a page with your search form
Look for an input field named tx_kesearch_pi1[__hp]
This field should be positioned off-screen (margin-left: -99999px)

The middleware will automatically reject any search request where this field contains a value.

Configuration

TypoScript Configuration

The extension registers a Fluid Partial path for ke_search:

plugin.tx_kesearch_pi1 {
    view {
        partialRootPaths {
            1000 = EXT:ke_search_honeypot/Resources/Private/Partials/
        }
    }
}

This makes the honeypot partial available in your ke_search templates.

Template Integration

Add the partial to your search form template:

<f:render partial="honeypot" />

The partial renders:

<div style="margin-left: -99999px; position: absolute;">
    <label for="kesearch_hp">Diese Feld nicht ausfüllen!</label>
    <input autocomplete="new-kesearch-hp" tabindex="-1" 
           type="text" name="tx_kesearch_pi1[__hp]" value="" />
</div>

Middleware

The extension uses a PSR-15 middleware to check search requests.

The middleware checks if:

A ke_search form was submitted (tx_kesearch_pi1 parameter exists)
A search term was entered (tx_kesearch_pi1[sword] parameter exists)
The honeypot field (tx_kesearch_pi1[__hp]) is missing or filled

If a bot fills the honeypot field, the request is rejected with 403 Forbidden.

The middleware is automatically registered in Configuration/RequestMiddlewares.php - no manual configuration needed.

RouteEnhancer Configuration

Important: To ensure the honeypot field is included in all ke_search URLs, you must add __hp to your RouteEnhancer configuration.

Add this to your site configuration (config/sites/<identifier>/config.yaml):

routeEnhancers:
  KeSearch:
    type: Plugin
    namespace: tx_kesearch_pi1
    routePath: '/{sortByField}/{sortByDir}/{resetFilters}/{page}/{sword}/{__hp}'
    _arguments:
      sortByField: sortByField
      sortByDir: sortByDir
      resetFilters: resetFilters
      page: page
      sword: sword
    defaults:
      __hp: ''
      sortByField: ''
      sortByDir: ''
      resetFilters: ''
      page: '0'
      sword: ''

Why is this necessary?

The RouteEnhancer ensures that:

The __hp parameter is always present in search result URLs
Pagination and sorting links automatically include the empty honeypot field
Bots that follow links can be detected if they fill the field

Without this configuration, the honeypot validation may fail on result pages.

Note: This configuration will create URLs with a trailing slash (e.g., /search/score/desc/0/1/searchterm//). This is expected behavior and ensures maximum bot protection.

Customization

Custom Honeypot Field Name

If you want to use a different field name, override the partial in your own extension or template:

<!-- Your own Partials/honeypot.html -->
<div style="margin-left: -99999px; position: absolute;">
    <input type="text" name="tx_kesearch_pi1[my_custom_field]" value="" />
</div>

Then update the middleware check accordingly.

Custom Styling

The default partial uses position: absolute with negative margin. You can override this with your own CSS or by creating a custom partial.

Note: Don't use display: none as some bots detect this. Use positioning off-screen instead.

Known Problems

Browser Auto-fill

Some browser extensions or password managers might auto-fill the honeypot field. This is rare but can cause legitimate users to be blocked.

Solution: Ensure the honeypot field has attributes that prevent auto-fill:

autocomplete="off"
tabindex="-1"

These are already included in the default TypoScript configuration.

Accessibility

Screen readers might announce the honeypot field if not properly hidden.

Solution: The default implementation uses both CSS and ARIA attributes:

aria-hidden="true"
style="position: absolute; left: -9999px;"

This ensures the field is hidden from both visual users and assistive technologies.

Compatibility Issues

No known compatibility issues with other TYPO3 extensions.

If you encounter issues with other extensions, please report them on the GitHub issue tracker.

Reporting Issues

Please report bugs and issues on GitHub: https://github.com/davidkohr/ke_search_honeypot/issues

When reporting issues, please include:

TYPO3 version
PHP version
ke_search version
ke_search_honeypot version
Steps to reproduce the issue
Error messages or logs