========
Security
========

Pancake employs a handful of security measures to help prevent bot-based
exploits and spam submissions.  Each security measure displays a validation
error message upon failure, allowing a legitimate user to correct any
accidental flags.

CSRF protection
===============

To protect against `cross-site request forgery (CSRF)
<http://www.squarefree.com/securitytips/web-developers.html#CSRF>`_, Pancake
sets a token in the PHP session and then saves this value as a hidden
``<input>`` in the form.  When a form is submitted, Pancake
checks that the value stored in the PHP session and the value stored in the
hidden ``<input>`` match exactly.  This protection helps to ensure that a
form is submitted from the intended page and not a third-party website.

Honeypot protection
===================

To protect against spam bots, Pancake creates a field hidden to users.  Since
most spam bots attempt to inject a value into every form field to avoid
validation issues, any value inserted into this field will flag the form as
spam.  The ``<label>`` text is written to warn any non-visual users---who's
screen readers will be unaware the field is hidden---against writing something
in the field.

Textarea hyperlink-count checking
=================================

Since :ref:`textarea fields <field-textarea>` are often targets for link spam,
the validator :php:class:`HasLinkCount` is applied to every single textarea
field.  Any textarea with more than ten (10) links is flagged as spam.