Pancake employs a handful of security measures to help prevent bot-based exploits and spam submissions. Each security measure displays a validation error message upon failure, allowing a legitimate user to correct any accidental flags.
To protect against cross-site request forgery (CSRF), Pancake sets a token in the PHP session and then saves this value as a hidden <input> in the form. When a form is submitted, Pancake checks that the value stored in the PHP session and the value stored in the hidden <input> match exactly. This protection helps to ensure that a form is submitted from the intended page and not a third-party website.
To protect against spam bots, Pancake creates a field hidden to users. Since most spam bots attempt to inject a value into every form field to avoid validation issues, any value inserted into this field will flag the form as spam. The <label> text is written to warn any non-visual users—who’s screen readers will be unaware the field is hidden—against writing something in the field.
Since textarea fields are often targets for link spam, the validator :php:class:`HasLinkCount` is applied to every single textarea field. Any textarea with more than ten (10) links is flagged as spam.