I would like to know if in Symfony2, in addition to the default hidden csrf field, you would add other securities to your forms for the average website .
I assume that the forms are created using the shaper, and by default the user interface is not displayed.
I took some advice from
http://nedbatchelder.com/text/stopbots.html
as well as
https://www.stanford.edu/dept/its/communications/webservices/wiki/index.php/How_to_implement_a_SPAM_control_countermeasure_that_remains_accessible_using_the_ta_an_a_Web_Accessible_the_Stock
1) Do you add a hidden field that has a value base64_decode & base64_encodein timestamp / datetime + salt?
Therefore, you can limit the timeline by submitting the form between [3 seconds; 1 day] with a check limit.
This would annoy both the replay and form fill bots.
2) Do you add a text box that you hide using CSS (honeypot) so that bots can fill it when submitting the form? Then create a validation constraint so that if the field is not empty, the form submission is invalid (and maybe log in to your ip database and user agent if further action is required).
This will annoy the forms filling the bots.
3) Randomize field names and identifiers so that the playback bots cannot submit forms without reloading the website page. (although I haven't tested yet if random names bring problems with the form builder)
This will annoy reproducible bots.
4) ?