# SEC-06 — Rate Limiting & Contact Form Spam

**Category:** security  
**Status:** issues found

---

## [HIGH] No Rate Limiting
`routes/web.php` — POST `/contact` dan `/careers/{id}/apply` tidak punya `throttle` middleware.

**Fix:**
```php
Route::post('/contact', [ContactController::class, 'send'])
    ->middleware('throttle:5,1')  // 5 request per menit
    ->name('contact.send');

Route::post('/careers/{id}/apply', [CareerController::class, 'apply'])
    ->middleware('throttle:3,1')  // 3 request per menit
    ->name('careers.apply');
```

## [MEDIUM] No Honeypot / Anti-Bot
`ContactFormRequest.php` — tidak ada honeypot field.

**Fix — tambah hidden field di view:**
```blade
<input type="text" name="website" class="hidden" tabindex="-1" autocomplete="off">
```
```php
// ContactFormRequest
'website' => 'string|max:0',  // honeypot — harus kosong
```

## [MEDIUM] Career Apply Tidak Pakai Form Request
`CareerController.php:32` — validasi inline `$request->validate([...])` padahal `CareerApplyRequest` sudah ada.

**Fix:**
```php
use App\Http\Requests\Frontend\CareerApplyRequest;

public function apply(CareerApplyRequest $request, $id)
{
    $data = $request->validated();
    // ...
}
```

## [LOW] Message Tidak Ada Max Length
`ContactFormRequest.php:19` — `'message' => 'required|string|min:10'` tanpa `max`.

**Fix:** `'message' => 'required|string|min:10|max:5000'`

## [LOW] CareerApply Resume Validation
`CareerApplyRequest.php:18` — `resume_path` divalidasi sebagai `nullable|string`. Jika ini seharusnya file upload, perlu:
```php
'resume' => 'nullable|file|mimes:pdf|max:2048',
```

## Verified OK
- IP address tersimpan (`$request->ip()`) ✓
- Contact form email error handling (try-catch agar tidak crash) ✓