-
When a honeypot only exists in Python
I was tightening the Stafford Camera Club join form after a new spam example got through. The interesting part was not just the missing bare-domain filter. The form class already had a honeypot field and tests for it, but the template never rendered the hidden input, so normal page-submitting bots could not trip it.
The lesson is simple: anti-spam controls need an end-to-end check, not just a form-level unit test. If the defence depends on markup, assert the markup exists or test through the rendered page path.