Honeypot canaries

Honeypot canaries are routes, query params, or headers that normal clients should not use.

{
  "rules": {
    "honeypot": {
      "enabled": true,
      "headers": ["x-dhal-honeypot", "x-honeypot"],
      "queryParams": ["dhal_hp", "_dhal_canary"],
      "paths": ["/__dhal_honeypot", "/.env", "/wp-login.php"]
    }
  }
}

Recommended use

Honeypots are high-confidence signals for scanners and abusive automation.

Use them to:

• raise severity;
• trigger webhook alerts;
• block on route profiles;
• correlate IPs with later abuse.

Do not expose real functionality

Honeypot paths should never serve sensitive logic. They exist only as canaries.