A
web honeypot places decoy files, directories, or form fields in web applications — detecting automated scanners, crawlers, and attackers via requests to non-existent resources that no legitimate user would visit.
Honeytokens in web apps: hidden form fields, comments with fake credentials, robots.txt honeypot entries. Any access = suspicious. Low false positive rate — legitimate users never touch honeypots by definition.