I'd like to know if in Symfony2 apart from the default csrf hidden field you would add other securities in your forms for an average website.
I assume forms are made with the formbuilder and no captcha is shown to the user by default.
I took some advices from http://nedbatchelder.com/text/stopbots.html and https://www.stanford.edu/dept/its/communications/webservices/wiki/index.php/How_to_implement_a_SPAM_control_countermeasure_that_remains_accessible_using_the_Stanford_Web_Application_Toolkit
1) Would you add an hidden field which has for value base64_decode & base64_encode on timestamp/datetime + salt?
Hence, you could limit the time bracket to send the form between [ 3 seconds ; 1 day ] with a validation constraint.
This would annoy both playback bots and form filling bots
2) Would you add a text field that you hide with CSS (honeypot) in order for bots to fill it when submitting the form? Then create a validation constraint so that if the field is not empty the form submission is not valid (and maybe log in your database ip and user agent if further actions are required).
This would annoy form filling bots.
3) Randomize fields names and ids so that playback bots could not send forms without reloading the website page. (though I have not yet tested if random names brings problems with the form builder)
This would annoy playback bots.
4) Any other idea?
