Honeypot field on public forms + rate limit on the join form
ImprovementWeek of May 28, 2026
Cleaning up the spam protection on the two public-facing forms.
- Message form (advocate page) — replaced the session-based captcha with a simple CSS-hidden honeypot field. Naive scrapers fill every input and trip it; the server returns 200 silently so they don’t learn what caught them. Real users are unaffected.
- Application form (
/join) — added the same honeypot field, plus a 3-attempt-per-hour-per-IP rate limit. The previous form had no protection at all. - Removed the
AuthenticatedHoneypotBypassworkaround that the old captcha required — the honeypot doesn’t have the same false-positive problem.
CSRF protection remains in place as Rails’ default for both forms.
No admin action required.