The join form (layouts/partials/join.html:124) uses a hidden input field with a hardcoded value as spam prevention:
<input type="hidden" id="password" name="entry.508430148" value="hunter2" />
This value is visible in page source and provides no meaningful spam protection -- any bot that reads the HTML will submit the correct value.
Recommended fix
Replace with a CSS-hidden honeypot field. Bots fill in all fields (including hidden ones), while real users never see or interact with them:
<!-- Honeypot: hidden via CSS, bots fill it in, reject submissions where it has a value -->
<div style="position: absolute; left: -9999px;" aria-hidden="true">
<input type="text" name="entry.508430148" tabindex="-1" autocomplete="off" />
</div>
Then on the receiving end (Google Form or processing logic), reject submissions where this field is non-empty.
Alternatively, consider adding a CAPTCHA (e.g., hCaptcha or reCAPTCHA) if spam volume is significant.
The join form (
layouts/partials/join.html:124) uses a hidden input field with a hardcoded value as spam prevention:This value is visible in page source and provides no meaningful spam protection -- any bot that reads the HTML will submit the correct value.
Recommended fix
Replace with a CSS-hidden honeypot field. Bots fill in all fields (including hidden ones), while real users never see or interact with them:
Then on the receiving end (Google Form or processing logic), reject submissions where this field is non-empty.
Alternatively, consider adding a CAPTCHA (e.g., hCaptcha or reCAPTCHA) if spam volume is significant.