Form & Spam Protection

Public-facing forms are the most common entry point for attacks. Pragma CMS includes three layers of defense.

CSRF Token Validation

Every form generated by the FormBuilder or the FormManager automatically includes a hidden CSRF token.

PHP

// Internal check during POST
if (empty($_POST['csrf_token']) || !hash_equals($_SESSION['csrf_token'] ?? '', $_POST['csrf_token'])) {
    displayError('Invalid CSRF token', statusCode:403, asJson:true);
    exit;
}

Honeypot Technique

Pragma CMS can inject invisible fields into forms. If a bot fills out these fields (which are hidden from humans), the submission is silently discarded.

GET:

PHP

<input type="hidden" name="honeypot" autocomplete="off">

POST:

PHP

if (!empty($postData['honeypot'])) {
    // Simulate success to mislead bots
    echo json_encode(['success' => true, 'message' => 'Sent.']);

    // Log a potential spam attempt (optional but recommended)
    logError(
        "Honeypot triggered, possible spam detected from IP address: " . $_SERVER['REMOTE_ADDR'],
        forUser: true
    );

    exit;
}

Human Verification (reCAPTCHA)

Pragma CMS integrates Google reCAPTCHA v3 to protect forms from automated submissions while preserving user experience.

When enabled in the Admin settings, all public forms (using renderForm()) are automatically validated server-side using the configured reCAPTCHA keys.

If verification fails, the submission is rejected and logged as a potential spam attempt.