Missbrauchsschutz

Naive bots fill every form field they see. The hidden bookmark field is invisible to humans (screen readers included), so any non-empty value is a high-confidence signal of automation. Field names like website, url, and homepage appear in solver blocklists, so we use an innocuous name that does not pattern-match. Rotate the constant if a particular form starts seeing zero blocks.

Bots submit forms in milliseconds; humans take seconds to read, type, and click. Submissions faster than the minimum are silently rejected as bot traffic — same response shape as a successful submit, so probing doesn't surface the threshold.

• Public feedback form src/routes/(public)/feedback/+page.server.ts

Auth flows use ALTCHA instead — the honeypot is reserved for unauthenticated form posts where adding a captcha widget would add too much friction.