A honeypot is a hidden trap embedded in a web page that is invisible to real human visitors but accessible to automated crawlers. The most common form is a link or form field that is hidden via CSS (`display: none` or `visibility: hidden`) — a human user never sees it and never clicks it, but a scraper that indiscriminately follows all links or fills all form fields will trigger it.
When a request arrives for the honeypot URL, or the honeypot form field is submitted with a value, the server flags the originating IP or session as a bot and may ban it, throttle it, or deliver degraded responses. Some implementations log the fingerprint of the bot and share it with threat intelligence networks.
Honeypots appear in various forms: invisible pagination links beyond the real last page, hidden input fields in contact forms (legitimate form submitters leave them empty; spam bots fill them), CSS-hidden navigation links, and programmatically generated URLs not discoverable through sitemaps or visible link traversal. A scraper operating a headless browser in the same manner as a real user — not injecting JavaScript to reveal hidden elements, only clicking visually present elements — avoids most honeypot traps.