CSSWAF places some honeypot
empty.giffiles in HTML<img>tags but instructs the browser not to load them.
If someone loads the honeypot GIFs, 🙅.
CSSWAF also places some invisible<a>tags in HTML, if someone clicks the honeypot links, 🙅.
— A CSS-based NoJS Anti-BOT WAF (Proof of Concept)
Clever idea!
How long till bots be trained to know it’s a hidden link, though?