diff --git a/.env_sample b/.env_sample
index 4288c46ec..81172d708 100644
--- a/.env_sample
+++ b/.env_sample
@@ -10,4 +10,13 @@ SMTP_USER=your_smtp_username
 SMTP_PASSWORD=your_smtp_password
 SMTP_SENDER=your_smtp_sender_email
 FEEDBACK_ADDRESS=feedback@example.com
-XML_SUBMIT_ADDRESS=xmlsubmit@example.com
\ No newline at end of file
+XML_SUBMIT_ADDRESS=xmlsubmit@example.com
+# Rate limiting settings
+# Maximum number of feedback submissions allowed per IP address within the time window
+FEEDBACK_MAX_SUBMISSIONS=3
+# Time window in seconds for rate limiting (e.g., 3600 seconds = 1 hour). Works for all kinds of events
+RATE_LIMIT_TIME_WINDOW=3600
+# Maximum number of save operations per window
+SAVE_RATE_LIMIT = 300
+#Maximum number of submissions per window
+SUBMIT_RATE_LIMIT = 10
\ No newline at end of file
diff --git a/api/csrf_token.php b/api/csrf_token.php
index df0c3e9f5..7efd27bdd 100644
--- a/api/csrf_token.php
+++ b/api/csrf_token.php
@@ -6,21 +6,17 @@
  * The token is stored in the session and must be validated on form submission.
  */
 
-// Start session if not already started
-if (session_status() === PHP_SESSION_NONE) {
-    session_start();
-}
+// Start session BEFORE any output
+session_start();
+
+require_once __DIR__ . '/security.php';
 
 header('Content-Type: application/json');
 header('Cache-Control: no-store, no-cache, must-revalidate');
 header('Pragma: no-cache');
 
-// Generate a new CSRF token
-$token = bin2hex(random_bytes(32));
-
-// Store in session
-$_SESSION['csrf_token'] = $token;
-$_SESSION['csrf_token_time'] = time();
+// Generate a new CSRF token using shared security utility
+$token = generateCsrfToken();
 
 echo json_encode([
     'success' => true,
diff --git a/api/security.php b/api/security.php
new file mode 100644
index 000000000..5fb25ffc4
--- /dev/null
+++ b/api/security.php
@@ -0,0 +1,203 @@
+<?php
+/**
+ * Shared Security Utilities
+ * 
+ * Central location for security functions used across the application:
+ * - CSRF token generation and validation
+ * - Honeypot validation
+ * - Rate limiting for feedback, save, and submit operations
+ * - Client IP detection
+ */
+
+// Load environment variables from .env file
+$envFile = dirname(__DIR__) . '/.env';
+if (file_exists($envFile)) {
+    $lines = file($envFile, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);
+    foreach ($lines as $line) {
+        if (strpos($line, '=') === false || strpos($line, '#') === 0) {
+            continue;
+        }
+        [$key, $value] = explode('=', $line, 2);
+        $key = trim($key);
+        $value = trim($value);
+        if (!isset($_ENV[$key])) {
+            putenv("{$key}={$value}");
+        }
+    }
+} else {
+    error_log("Security.php: .env file not found at expected path: {$envFile}");
+}
+
+// Rate limiting configuration (loaded from .env or defaults)
+define('RATE_LIMIT_FEEDBACK_MAX', (int) getenv('FEEDBACK_MAX_SUBMISSIONS') ?: 3);
+define('RATE_LIMIT_SAVE_MAX', (int) getenv('SAVE_RATE_LIMIT') ?: 100);
+define('RATE_LIMIT_SUBMIT_MAX', (int) getenv('SUBMIT_RATE_LIMIT') ?: 5);
+define('RATE_LIMIT_WINDOW_SECONDS', (int) getenv('RATE_LIMIT_TIME_WINDOW') ?: 3600);
+
+/**
+ * Initializes session if not already started.
+ * Must be called before any session operations.
+ *
+ * @return void
+ */
+function initializeCsrfSession(): void
+{
+    if (session_status() === PHP_SESSION_NONE) {
+        session_start();
+    }
+}
+
+/**
+ * Generates a new CSRF token and stores it in the session.
+ * The token is valid for 1 hour.
+ *
+ * @return string The generated CSRF token
+ */
+function generateCsrfToken(): string
+{
+    initializeCsrfSession();
+    
+    $token = bin2hex(random_bytes(32));
+    $_SESSION['csrf_token'] = $token;
+    $_SESSION['csrf_token_time'] = time();
+    
+    return $token;
+}
+
+/**
+ * Validates a CSRF token from a POST request.
+ * Checks for token existence, validity, and expiration (1 hour).
+ *
+ * @param string $submittedToken The token from the form submission
+ * @return bool True if token is valid, false otherwise
+ */
+function validateCsrfToken(string $submittedToken): bool
+{
+    initializeCsrfSession();
+    
+    $sessionToken = $_SESSION['csrf_token'] ?? '';
+    $tokenTime = $_SESSION['csrf_token_time'] ?? 0;
+    
+    // Token must exist in session and submitted form
+    if (empty($submittedToken) || empty($sessionToken)) {
+        return false;
+    }
+    
+    // Token must match (timing-safe comparison)
+    if (!hash_equals($sessionToken, $submittedToken)) {
+        return false;
+    }
+    
+    // Token must not be older than 1 hour
+    if (time() - $tokenTime > 3600) {
+        return false;
+    }
+    
+    return true;
+}
+
+/**
+ * Invalidates the current CSRF token by removing it from session.
+ * Should be called after a successful form submission.
+ *
+ * @return void
+ */
+function invalidateCsrfToken(): void
+{
+    initializeCsrfSession();
+    unset($_SESSION['csrf_token']);
+    unset($_SESSION['csrf_token_time']);
+}
+
+/**
+ * Validates the honeypot field to detect bots.
+ * Honeypot should be empty for legitimate users.
+ *
+ * @param string $honeypotValue The value from the honeypot field
+ * @return bool True if honeypot is empty (legitimate), false if filled (bot)
+ */
+function validateHoneypot(string $honeypotValue): bool
+{
+    return empty($honeypotValue);
+}
+
+/**
+ * Gets the client IP address, considering proxies and forwarding headers.
+ *
+ * @return string The client IP address
+ */
+function getClientIp(): string
+{
+    // Check for forwarded IP (behind proxy/load balancer)
+    if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
+        $ips = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']);
+        return trim($ips[0]);
+    }
+    
+    if (!empty($_SERVER['HTTP_X_REAL_IP'])) {
+        return $_SERVER['HTTP_X_REAL_IP'];
+    }
+    
+    return $_SERVER['REMOTE_ADDR'] ?? 'unknown';
+}
+
+/**
+ * Checks if an IP address has exceeded rate limit for a given action type.
+ *
+ * @param mysqli $connection Database connection
+ * @param string $ipAddress The client IP address
+ * @param string $actionType The action type ('feedback', 'save', 'submit')
+ * @param int $maxRequests Maximum allowed requests in the time window
+ * @param int $windowSeconds Time window in seconds (default 3600 = 1 hour)
+ * @return bool True if within rate limit, false if exceeded
+ */
+function checkRateLimit(
+    $connection,
+    string $ipAddress,
+    string $actionType,
+    int $maxRequests = 3,
+    int $windowSeconds = 3600
+): bool
+{
+    // Clean up old entries (older than 24 hours)
+    $cleanupSql = "DELETE FROM Rate_Limit WHERE submitted_at < DATE_SUB(NOW(), INTERVAL 24 HOUR)";
+    mysqli_query($connection, $cleanupSql);
+    
+    // Count recent submissions from this IP for this action type
+    $stmt = $connection->prepare(
+        "SELECT COUNT(*) as count FROM Rate_Limit 
+         WHERE ip_address = ? AND action = ? AND submitted_at > DATE_SUB(NOW(), INTERVAL ? SECOND)"
+    );
+    $stmt->bind_param("ssi", $ipAddress, $actionType, $windowSeconds);
+    $stmt->execute();
+    $result = $stmt->get_result();
+    $row = $result->fetch_assoc();
+    $stmt->close();
+    
+    return ($row['count'] ?? 0) < $maxRequests;
+}
+
+/**
+ * Records a submission for rate limiting purposes.
+ *
+ * @param mysqli $connection Database connection
+ * @param string $ipAddress The client IP address
+ * @param string $actionType The action type ('feedback', 'save', 'submit')
+ * @return bool True if successfully recorded, false on error
+ */
+function recordRateLimit(
+    $connection,
+    string $ipAddress,
+    string $actionType
+): bool
+{
+    $stmt = $connection->prepare(
+        "INSERT INTO Rate_Limit (action, ip_address, submitted_at) VALUES (?, ?, NOW())"
+    );
+    $stmt->bind_param("ss", $actionType, $ipAddress);
+    $success = $stmt->execute();
+    $stmt->close();
+    
+    return $success;
+}
+?>
diff --git a/formgroups/honeypot.html b/formgroups/honeypot.html
new file mode 100644
index 000000000..00c4495aa
--- /dev/null
+++ b/formgroups/honeypot.html
@@ -0,0 +1,4 @@
+<!-- Honeypot field for bot detection - hidden from human users -->
+<div style="position: absolute; left: -9999px;" aria-hidden="true">
+    <input type="text" name="website" tabindex="-1" autocomplete="off" />
+</div>
diff --git a/index.php b/index.php
index 7ed1a8513..4ccfad3c8 100644
--- a/index.php
+++ b/index.php
@@ -51,6 +51,7 @@
 $mslLogoHtml = '<a href="https://epos-msl.uu.nl/" target="_blank" rel="noopener noreferrer"> <img src="logos/EPOS_logo.png" alt="MSL Logo" class="logo logo-right"> </a>';
 $baseDir = __DIR__ . '/';
 include $baseDir . 'header.php';
+include $baseDir . 'formgroups/honeypot.html';
 include $baseDir . 'formgroups/resourceInformation.html';
 
 if ($showLicense) {
diff --git a/install.php b/install.php
index 09cbea0ed..0f7182bab 100644
--- a/install.php
+++ b/install.php
@@ -81,7 +81,7 @@ function dropTables($connection)
         'Resource_has_Related_Work',
         'Funding_Reference',
         'Resource_has_Funding_Reference',
-        'Feedback_Rate_Limit',
+        'Rate_Limit',
         // ICGEM-specific variables to describe beautiful GGMs 
         'GGM_Properties',
         'Resource_has_GGM_Properties',
@@ -655,13 +655,14 @@ function createDatabaseStructure($connection): array
     FOREIGN KEY (`data_source_id`) REFERENCES `Data_Sources`(`data_source_id`) ON DELETE CASCADE
         );",
 
-        // Feedback rate limiting table for spam protection
-        "Feedback_Rate_Limit" => "CREATE TABLE IF NOT EXISTS `Feedback_Rate_Limit` (
+        // Unified rate limiting table for spam protection across all actions (feedback, save, submit)
+        "Rate_Limit" => "CREATE TABLE IF NOT EXISTS `Rate_Limit` (
     `id` INT NOT NULL AUTO_INCREMENT,
+    `action` VARCHAR(50) NOT NULL,
     `ip_address` VARCHAR(45) NOT NULL,
     `submitted_at` DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
     PRIMARY KEY (`id`),
-    INDEX `idx_ip_time` (`ip_address`, `submitted_at`)
+    INDEX `idx_action_ip_time` (`action`, `ip_address`, `submitted_at`)
         );",
     ];
 
diff --git a/js/saveHandler.js b/js/saveHandler.js
index a2f6458a9..6ba0cfdcd 100644
--- a/js/saveHandler.js
+++ b/js/saveHandler.js
@@ -19,9 +19,31 @@ class SaveHandler {
             notification: new bootstrap.Modal($(`#${notificationModalId}`)[0])
         };
         this.autosaveService = autosaveService;
+        
+        // Security fields
+        this.$csrfTokenField = $('#input-save-csrf-token');
+        this.$timeSpentField = $('#input-save-time-spent');
+        this.$honeypotField = $('input[name="website"]');
+        this.modalOpenedAt = null;
+        
         this.initializeEventListeners();
     }
 
+    /**
+     * Fetches a CSRF token from the server for form protection.
+     * @returns {Promise<string>} The CSRF token
+     */
+    async fetchCsrfToken() {
+        try {
+            const response = await fetch('api/csrf_token.php');
+            const data = await response.json();
+            return data.token || '';
+        } catch (error) {
+            console.error('Failed to fetch CSRF token:', error);
+            return '';
+        }
+    }
+
     /**
      * Initialize event listeners
      */
@@ -29,8 +51,19 @@ class SaveHandler {
         $('#button-saveas-save').on('click', () => this.handleSaveConfirm());
         $('#modal-saveas').on('hidden.bs.modal', () => this.modals.notification.hide());
 
-        // Focus on input field
-        $('#modal-saveas').on('shown.bs.modal', () => {
+        // Focus on input field and fetch CSRF token
+        $('#modal-saveas').on('shown.bs.modal', async () => {
+            // Record when modal was opened for time-spent calculation
+            this.modalOpenedAt = Date.now();
+            
+            // Fetch fresh CSRF token
+            const token = await this.fetchCsrfToken();
+            this.$csrfTokenField.val(token);
+            
+            // Reset time spent and honeypot
+            this.$timeSpentField.val('0');
+            this.$honeypotField.val('');
+            
             $('#input-saveas-filename').select();
         });
         $('#modal-saveas').on('keydown', (e) => {
@@ -97,6 +130,12 @@ class SaveHandler {
             return;
         }
 
+        // Calculate time spent filling the save modal (in seconds)
+        if (this.modalOpenedAt) {
+            const timeSpent = Math.floor((Date.now() - this.modalOpenedAt) / 1000);
+            this.$timeSpentField.val(timeSpent);
+        }
+
         this.modals.saveAs.hide();
         await this.saveAndDownload(filename);
     }
@@ -116,7 +155,11 @@ class SaveHandler {
         try {
             const formData = new FormData(this.$form[0]);
             formData.append('filename', filename);
-            formData.append('action', 'save_and_download');
+            
+            // Append security fields
+            formData.append('csrf_token', this.$csrfTokenField.val());
+            formData.append('save_time_spent', this.$timeSpentField.val());
+            formData.append('website', this.$honeypotField.val());
 
             const response = await fetch('save/save_data.php', {
                 method: 'POST',
diff --git a/js/submitHandler.js b/js/submitHandler.js
index a00fb1215..341dc997c 100644
--- a/js/submitHandler.js
+++ b/js/submitHandler.js
@@ -139,6 +139,12 @@ class SubmitHandler {
         this.$selectedFileName = $('#selected-file-name');
         this.autosaveService = autosaveService;
 
+        // Security field references
+        this.$csrfTokenField = $('#input-submit-csrf-token');
+        this.$timeSpentField = $('#input-submit-time-spent');
+        this.$honeypotField = $('input[name="website"]');
+        this.modalOpenedAt = null;
+
         this.initializeEventListeners();
         this.initializeFileHandlers();
         this.$removeFileBtn.hide();
@@ -152,10 +158,15 @@ class SubmitHandler {
         $('#button-submit-submit').on('click', () => this.handleModalSubmit());
         this.$form.on('change', 'input[name="contacts[]"]', validateContactPerson);
 
-        // Focus on input field
-        $('#modal-submit').on('shown.bs.modal', () => {
+        // Fetch CSRF token and reset security fields on modal open
+        $('#modal-submit').on('shown.bs.modal', async () => {
+            await this.fetchCsrfToken();
+            this.modalOpenedAt = Date.now();
+            this.$honeypotField.val(''); // Ensure honeypot is empty
+            this.$timeSpentField.val('0');
             $('#input-submit-dataurl').select();
         });
+
         $('#modal-submit').on('keydown', (e) => {
             // KeyCode 13? (Enter)
             if (e.which === 13 || e.keyCode === 13) {
@@ -174,6 +185,23 @@ class SubmitHandler {
         });
     }
 
+    /**
+     * Fetch fresh CSRF token from the server
+     */
+    async fetchCsrfToken() {
+        try {
+            const response = await fetch('api/csrf_token.php');
+            const data = await response.json();
+            if (data.token) {
+                this.$csrfTokenField.val(data.token);
+            } else {
+                console.error('No token in response:', data);
+            }
+        } catch (error) {
+            console.error('Error fetching CSRF token:', error);
+        }
+    }
+
     /**
      * Initialize file input handlers
      */
@@ -241,8 +269,21 @@ class SubmitHandler {
         if (this.autosaveService) {
             await this.autosaveService.flushPending();
         }
+        
+        // Calculate time spent in modal
+        if (this.modalOpenedAt) {
+            const timeSpent = Math.floor((Date.now() - this.modalOpenedAt) / 1000);
+            this.$timeSpentField.val(timeSpent);
+        }
+        
         const submitData = new FormData(this.$form[0]);
 
+        // Explicitly add CSRF token (it's in the modal, not in the main form)
+        const csrfToken = this.$csrfTokenField.val();
+        if (csrfToken) {
+            submitData.set('csrf_token', csrfToken);
+        }
+
         submitData.append('urgency', $('#input-submit-urgency').val());
         submitData.append('dataUrl', $('#input-submit-dataurl').val());
 
diff --git a/modals.html b/modals.html
index 898a8397e..0fda8fb76 100644
--- a/modals.html
+++ b/modals.html
@@ -139,6 +139,15 @@ <h2 class="modal-title fs-5" id="label-saveas-modal" data-translate="modals.save
             </div>
             <div class="modal-body">
                 <form id="form-saveas-filename">
+                    <!-- Honeypot field - hidden from humans, bots will fill it -->
+                    <div style="position: absolute; left: -9999px;" aria-hidden="true">
+                        <input type="text" name="website" tabindex="-1" autocomplete="off">
+                    </div>
+                    
+                    <!-- Hidden security fields -->
+                    <input type="hidden" name="save_time_spent" id="input-save-time-spent" value="0">
+                    <input type="hidden" name="csrf_token" id="input-save-csrf-token" value="">
+                    
                     <div class="mb-3">
                         <label for="input-saveas-filename" class="form-label" data-translate="modals.save.filename">
                             Filename
@@ -171,6 +180,15 @@ <h5 class="modal-title" id="modal-submit-label" data-translate="modals.submit.ti
         </div>
         <div class="modal-body">
           <form id="modal-submit-form">
+            <!-- Honeypot field - hidden from humans, bots will fill it -->
+            <div style="position: absolute; left: -9999px;" aria-hidden="true">
+                <input type="text" name="website" tabindex="-1" autocomplete="off">
+            </div>
+            
+            <!-- Hidden security fields -->
+            <input type="hidden" name="submit_time_spent" id="input-submit-time-spent" value="0">
+            <input type="hidden" name="csrf_token" id="input-submit-csrf-token" value="">
+            
             <!-- Publication urgency dropdown -->
             <div class="mb-3">
               <label for="input-submit-urgency" class="form-label" data-translate="modals.submit.urgency">Urgency</label>
diff --git a/save/save_data.php b/save/save_data.php
index 38d8efff0..d54aad0d8 100644
--- a/save/save_data.php
+++ b/save/save_data.php
@@ -1,41 +1,131 @@
 <?php
 /**
- * @description Handles dataset saving and XML file generation
+ * @description Handles dataset saving and XML file generation with security validations
  * 
  * This script processes form submissions for dataset metadata:
+ * - Validates CSRF token
+ * - Checks honeypot field
+ * - Enforces rate limiting for save operations
  * - Saves metadata to database
  * - Generates XML files
  * - Handles both initial save requests and file downloads
  * 
  * @requires settings.php
+ * @requires api/security.php
  * @requires formgroups/*.php
  */
 
+// Guard for PHPUnit
+if (defined('PHPUNIT_RUNNING')) {
+    return;
+}
+
+// Only process POST requests
+if (($_SERVER['REQUEST_METHOD'] ?? null) !== 'POST') {
+    exit();
+}
+
+// Include security functions BEFORE settings to ensure they're available
+require_once __DIR__ . '/../api/security.php';
+
+// Only load settings if connection not already injected (for testing)
+if (!isset($GLOBALS['connection']) || $GLOBALS['connection'] === null) {
+    require_once __DIR__ . '/../settings.php';
+}
+global $connection;
 /**
- * Process form submission based on action type
+ * Validates security checks for save operations.
+ * 
+ * @param array $postData The POST data
+ * @param mysqli $connection Database connection for rate limiting
+ * @return array {status: bool, message: string|null, code: int}
  */
-if ($_SERVER['REQUEST_METHOD'] === 'POST') {
-    // Include required configuration and helper files
-    require_once __DIR__ . '/../settings.php';
-    require_once __DIR__ . '/formgroups/save_resourceinformation_and_rights.php';
-    require_once __DIR__ . '/formgroups/save_authors.php';
-    require_once __DIR__ . '/formgroups/save_contactperson.php';
-    require_once __DIR__ . '/formgroups/save_originatinglaboratory.php';
-    require_once __DIR__ . '/formgroups/save_freekeywords.php';
-    require_once __DIR__ . '/formgroups/save_contributorpersons.php';
-    require_once __DIR__ . '/formgroups/save_contributorinstitutions.php';
-    require_once __DIR__ . '/formgroups/save_descriptions.php';
-    require_once __DIR__ . '/formgroups/save_thesauruskeywords.php';
-    require_once __DIR__ . '/formgroups/save_spatialtemporalcoverage.php';
-    require_once __DIR__ . '/formgroups/save_relatedwork.php';
-    require_once __DIR__ . '/formgroups/save_fundingreferences.php';
-    // ICGEM related formgroups
-    require_once __DIR__ . '/formgroups/save_ggms_definition.php';
-    require_once __DIR__ . '/formgroups/save_ggms_properties.php';
-    require_once __DIR__ . '/formgroups/save_ggms_datasources.php';
-    require_once __DIR__ . '/formgroups/save_ggms_modeltypes.php';
+function validateSaveSecurity($postData, $connection)
+{
+    $clientIp = getClientIp();
+    
+    // Security Check 1: Honeypot
+    if (!validateHoneypot($postData['website'] ?? '')) {
+        error_log("[💿SAVE]: Save blocked - Honeypot triggered from IP {$clientIp}");
+        return [
+            'status' => false,
+            'message' => 'Invalid request',
+            'code' => 400
+        ];
+    }
+    
+    // Security Check 2: CSRF Token validation
+    $submittedToken = $postData['csrf_token'] ?? '';
+    if (!validateCsrfToken($submittedToken)) {
+        error_log("[💿SAVE]: Save blocked - Invalid CSRF token from IP {$clientIp}");
+        return [
+            'status' => false,
+            'message' => 'Invalid request - CSRF token validation failed',
+            'code' => 403
+        ];
+    }
+    
+    // Security Check 3: Rate limiting
+    if (!checkRateLimit($connection, $clientIp, 'save', RATE_LIMIT_SAVE_MAX, RATE_LIMIT_WINDOW_SECONDS)) {
+        error_log("[💿SAVE]: Save blocked - Rate limit exceeded for IP {$clientIp}");
+        return [
+            'status' => false,
+            'message' => 'Too many save requests. Please try again later.',
+            'code' => 429
+        ];
+    }
+    
+    // Record this save for rate limiting
+    recordRateLimit($connection, $clientIp, 'save');
+    
+    // Invalidate the used CSRF token
+    invalidateCsrfToken();
+    
+    // Security Check 4: Minimum time validation
+    if (isset($postData['save_time_spent'])) {
+        $timeSpent = (int) $postData['save_time_spent'];
+        if ($timeSpent < 2) {
+            error_log("[💿SAVE]: Save blocked - Insufficient time spent ({$timeSpent}s) from IP {$clientIp}");
+            return [
+                'status' => false,
+                'message' => 'Save request too fast - minimum 2 seconds required',
+                'code' => 400
+            ];
+        }
+    }
+    
+    return ['status' => true];
+}
+
+// Validate security first
+$securityCheck = validateSaveSecurity($_POST, $connection);
+if (!$securityCheck['status']) {
+    http_response_code($securityCheck['code'] ?? 400);
+    header('Content-Type: application/json');
+    echo json_encode(['error' => $securityCheck['message'] ?? 'Security validation failed']);
+    error_log("[💿SAVE]: Security validation failed: " . ($securityCheck['message'] ?? 'Unknown reason'));
+    exit();
 }
 
+// Include required files
+require_once __DIR__ . '/formgroups/save_resourceinformation_and_rights.php';
+require_once __DIR__ . '/formgroups/save_authors.php';
+require_once __DIR__ . '/formgroups/save_contactperson.php';
+require_once __DIR__ . '/formgroups/save_originatinglaboratory.php';
+require_once __DIR__ . '/formgroups/save_freekeywords.php';
+require_once __DIR__ . '/formgroups/save_contributorpersons.php';
+require_once __DIR__ . '/formgroups/save_contributorinstitutions.php';
+require_once __DIR__ . '/formgroups/save_descriptions.php';
+require_once __DIR__ . '/formgroups/save_thesauruskeywords.php';
+require_once __DIR__ . '/formgroups/save_spatialtemporalcoverage.php';
+require_once __DIR__ . '/formgroups/save_relatedwork.php';
+require_once __DIR__ . '/formgroups/save_fundingreferences.php';
+// ICGEM related formgroups
+require_once __DIR__ . '/formgroups/save_ggms_definition.php';
+require_once __DIR__ . '/formgroups/save_ggms_properties.php';
+require_once __DIR__ . '/formgroups/save_ggms_datasources.php';
+require_once __DIR__ . '/formgroups/save_ggms_modeltypes.php';
+
 /**
  * Generates and outputs XML for a dataset
  * 
diff --git a/send_feedback_mail.php b/send_feedback_mail.php
index 11d1be69f..45bfbdf9f 100644
--- a/send_feedback_mail.php
+++ b/send_feedback_mail.php
@@ -6,23 +6,16 @@
  * - Rate limiting: Max 3 submissions per IP per hour
  * - Honeypot field: Hidden field that bots tend to fill
  * - CSRF token: Validates request origin
- * - Minimum time: Rejects submissions under 5 seconds
  */
 use PHPMailer\PHPMailer\PHPMailer;
 use PHPMailer\PHPMailer\Exception;
 
 require 'vendor/autoload.php';
+require __DIR__ . '/api/security.php';
 include __DIR__ . '/settings.php';
 
-// Start session for CSRF validation
-if (session_status() === PHP_SESSION_NONE) {
-    session_start();
-}
-
-// Rate limiting configuration
-define('RATE_LIMIT_MAX_REQUESTS', 3);
-define('RATE_LIMIT_WINDOW_SECONDS', 3600); // 1 hour
-define('MIN_TIME_SECONDS', 5); // Minimum time to fill form
+// Initialize session for CSRF validation
+initializeCsrfSession();
 
 /**
  * Sends a JSON error response and exits.
@@ -38,120 +31,6 @@ function sendErrorResponse(string $message, int $httpCode = 429): void
     exit;
 }
 
-/**
- * Checks if the honeypot field was filled (indicating a bot).
- *
- * @return bool True if honeypot was triggered (is a bot)
- */
-function isHoneypotTriggered(): bool
-{
-    return !empty($_POST['website']);
-}
-
-/**
- * Validates the CSRF token from the request.
- *
- * @return bool True if token is valid
- */
-function isValidCsrfToken(): bool
-{
-    $submittedToken = $_POST['csrf_token'] ?? '';
-    $sessionToken = $_SESSION['csrf_token'] ?? '';
-    $tokenTime = $_SESSION['csrf_token_time'] ?? 0;
-    
-    // Token must exist and match
-    if (empty($submittedToken) || empty($sessionToken)) {
-        return false;
-    }
-    
-    if (!hash_equals($sessionToken, $submittedToken)) {
-        return false;
-    }
-    
-    // Token must not be older than 1 hour
-    if (time() - $tokenTime > 3600) {
-        return false;
-    }
-    
-    return true;
-}
-
-/**
- * Checks if the form was filled too quickly (indicating a bot).
- *
- * @return bool True if time spent is valid (not a bot)
- */
-function isValidTimeSpent(): bool
-{
-    $timeSpent = intval($_POST['feedback_time_spent'] ?? 0);
-    return $timeSpent >= MIN_TIME_SECONDS;
-}
-
-/**
- * Checks rate limiting for the given IP address.
- *
- * @param mysqli $connection Database connection
- * @param string $ipAddress The client IP address
- * @return bool True if within rate limit, false if exceeded
- */
-function checkRateLimit($connection, string $ipAddress): bool
-{
-    // Clean up old entries first (older than 24 hours)
-    $cleanupSql = "DELETE FROM Feedback_Rate_Limit WHERE submitted_at < DATE_SUB(NOW(), INTERVAL 24 HOUR)";
-    mysqli_query($connection, $cleanupSql);
-    
-    // Count recent submissions from this IP
-    $stmt = $connection->prepare(
-        "SELECT COUNT(*) as count FROM Feedback_Rate_Limit 
-         WHERE ip_address = ? AND submitted_at > DATE_SUB(NOW(), INTERVAL ? SECOND)"
-    );
-    $window = RATE_LIMIT_WINDOW_SECONDS;
-    $stmt->bind_param("si", $ipAddress, $window);
-    $stmt->execute();
-    $result = $stmt->get_result();
-    $row = $result->fetch_assoc();
-    $stmt->close();
-    
-    return ($row['count'] ?? 0) < RATE_LIMIT_MAX_REQUESTS;
-}
-
-/**
- * Records a feedback submission for rate limiting.
- *
- * @param mysqli $connection Database connection
- * @param string $ipAddress The client IP address
- * @return void
- */
-function recordSubmission($connection, string $ipAddress): void
-{
-    $stmt = $connection->prepare(
-        "INSERT INTO Feedback_Rate_Limit (ip_address, submitted_at) VALUES (?, NOW())"
-    );
-    $stmt->bind_param("s", $ipAddress);
-    $stmt->execute();
-    $stmt->close();
-}
-
-/**
- * Gets the client IP address, considering proxies.
- *
- * @return string The client IP address
- */
-function getClientIp(): string
-{
-    // Check for forwarded IP (behind proxy/load balancer)
-    if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
-        $ips = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']);
-        return trim($ips[0]);
-    }
-    
-    if (!empty($_SERVER['HTTP_X_REAL_IP'])) {
-        return $_SERVER['HTTP_X_REAL_IP'];
-    }
-    
-    return $_SERVER['REMOTE_ADDR'] ?? 'unknown';
-}
-
 function testGfzSmtpConnectivity(): bool {
     global $smtpHost, $smtpPort;
     
@@ -297,6 +176,7 @@ function sendFeedbackMail(
     }
 }
 
+
 // Process POST request
 if ($_SERVER['REQUEST_METHOD'] === 'POST') {
     header('Content-Type: application/json');
@@ -307,7 +187,7 @@ function sendFeedbackMail(
     $clientIp = getClientIp();
     
     // Security Check 1: Honeypot
-    if (isHoneypotTriggered()) {
+    if (!validateHoneypot($_POST['website'] ?? '')) {
         // Silently reject but return fake success to not alert the bot
         error_log("Feedback blocked: Honeypot triggered from IP {$clientIp}");
         echo json_encode(['success' => true, 'message' => 'Feedback erfolgreich gesendet!']);
@@ -315,29 +195,23 @@ function sendFeedbackMail(
     }
     
     // Security Check 2: CSRF Token
-    if (!isValidCsrfToken()) {
+    $submittedToken = $_POST['csrf_token'] ?? '';
+    if (!validateCsrfToken($submittedToken)) {
         error_log("Feedback blocked: Invalid CSRF token from IP {$clientIp}");
         sendErrorResponse('Ungültige Anfrage. Bitte laden Sie die Seite neu und versuchen Sie es erneut.', 403);
     }
     
-    // Security Check 3: Minimum time spent
-    if (!isValidTimeSpent()) {
-        error_log("Feedback blocked: Too fast submission from IP {$clientIp} (time: " . ($_POST['feedback_time_spent'] ?? 0) . "s)");
-        sendErrorResponse('Formular zu schnell ausgefüllt. Bitte nehmen Sie sich etwas mehr Zeit.', 429);
-    }
-    
-    // Security Check 4: Rate limiting
-    if (!checkRateLimit($connection, $clientIp)) {
+    // Security Check 3: Rate limiting
+    if (!checkRateLimit($connection, $clientIp, 'feedback', RATE_LIMIT_FEEDBACK_MAX, RATE_LIMIT_WINDOW_SECONDS)) {
         error_log("Feedback blocked: Rate limit exceeded for IP {$clientIp}");
         sendErrorResponse('Sie haben zu viele Anfragen gesendet. Bitte versuchen Sie es in einer Stunde erneut.', 429);
     }
     
     // All security checks passed - record this submission
-    recordSubmission($connection, $clientIp);
+    recordRateLimit($connection, $clientIp, 'feedback');
     
     // Invalidate the used CSRF token
-    unset($_SESSION['csrf_token']);
-    unset($_SESSION['csrf_token_time']);
+    invalidateCsrfToken();
     
     $feedbackQuestion1 = $_POST['feedbackQuestion1'] ?? '';
     $feedbackQuestion2 = $_POST['feedbackQuestion2'] ?? '';
diff --git a/send_xml_file.php b/send_xml_file.php
index 7ef86734d..3f56ae06e 100644
--- a/send_xml_file.php
+++ b/send_xml_file.php
@@ -18,16 +18,19 @@
 // Enable error logging but suppress direct output to keep JSON responses clean
 error_reporting(E_ALL);
 ini_set('display_errors', 0);
+session_start();
 
 // Buffer output
 ob_start();
 
-error_log("send_xml_file.php: Script started");
+
+// Include security functions FIRST (before settings.php to avoid duplicate includes)
+require_once __DIR__ . '/api/security.php';
+
 
 // Include required files
 require_once __DIR__ . '/settings.php';
 
-error_log("send_xml_file.php: settings.php included");
 
 // Make global variables from settings.php available
 global $connection, $showGGMsProperties;
@@ -86,6 +89,77 @@ function testGfzSmtpConnectivity(): bool {
         return false;
     }
 }
+/**
+ * Validate submit security (honeypot, CSRF, rate limiting, minimum time)
+ * @param array $postData POST data from form
+ * @param mysqli $connection Database connection
+ * @throws Exception if validation fails
+ */
+function validateSubmitSecurity(array $postData, $connection) {
+    // Get client IP
+    $clientIp = getClientIp();
+    
+    // Check 1: Honeypot - Silent rejection
+    if (!validateHoneypot($postData['website'] ?? '')) {
+        http_response_code(400);
+        ob_clean();
+        header('Content-Type: application/json');
+        echo json_encode([
+            'success' => false,
+            'message' => 'Invalid submission detected.'
+        ]);
+        exit;
+    }
+    // Check 2: CSRF Token validation
+    $csrfToken = $postData['csrf_token'] ?? '';
+    error_log("DEBUG: CSRF token from POST: " . (!empty($csrfToken) ? 'present' : 'MISSING'));
+    error_log("DEBUG: Session token: " . (!empty($_SESSION['csrf_token'] ?? '') ? 'present' : 'MISSING'));
+    
+    // Check 2: CSRF Token validation
+    if (!validateCsrfToken($postData['csrf_token'] ?? '')) {
+        http_response_code(403);
+        ob_clean();
+        header('Content-Type: application/json');
+        echo json_encode([
+            'success' => false,
+            'message' => 'Security token validation failed.'
+        ]);
+        exit;
+    }
+    
+    // Check 3: Rate limiting for submit (10 per hour)
+    if (!checkRateLimit($connection, $clientIp, 'submit', RATE_LIMIT_SUBMIT_MAX, RATE_LIMIT_WINDOW_SECONDS)) {
+        http_response_code(429);
+        ob_clean();
+        header('Content-Type: application/json');
+        echo json_encode([
+            'success' => false,
+            'message' => 'Too many submission attempts. Please try again later.'
+        ]);
+        exit;
+    }
+    
+    // Check 4: Minimum time spent (5 seconds for submit)
+    $timeSpent = intval($postData['submit_time_spent'] ?? 0);
+    if ($timeSpent < 5) {
+        http_response_code(400);
+        ob_clean();
+        header('Content-Type: application/json');
+        echo json_encode([
+            'success' => false,
+            'message' => 'Please take time to review your submission before submitting.'
+        ]);
+        exit;
+    }
+    
+    // All checks passed, record the rate limit
+    recordRateLimit($connection, $clientIp, 'submit');
+    
+    // Invalidate CSRF token after successful security validation
+    invalidateCsrfToken();
+    
+    error_log("send_xml_file.php: Submit security validation passed");
+}
 
 /**
  * Convert weeks to priority text
@@ -157,6 +231,12 @@ function createAndAttachXmlFile(PHPMailer $mail, string $xml_content, int $resou
 
 try {
     error_log("send_xml_file.php: Try block started");
+    
+    // Validate security before saving any data
+    validateSubmitSecurity($_POST, $connection);
+    
+    error_log("send_xml_file.php: Security validation passed");
+    
     // Save all form components
     $resource_id = saveResourceInformationAndRights($connection, $_POST);
     saveAuthors($connection, $_POST, $resource_id);
@@ -362,21 +442,27 @@ function createAndAttachXmlFile(PHPMailer $mail, string $xml_content, int $resou
     $mail->send();
     error_log("XML Submit: E-Mail erfolgreich über GFZ SMTP versendet!");
 } else {
-    error_log("Warning: the email was not sent! You are strongly assuming you are in development right now! SIMULATE_EMAIL was set true - skipping SMTP and PHPMailer.");
-}
-
-    error_log("send_xml_file.php: About to return success");
-
-    // Clear any output buffers
-    ob_clean();
-
-    // Return success response
+    error_log("Warning: the email was not sent! ...");
     header('Content-Type: application/json');
     echo json_encode([
         'success' => true,
-        'message' => 'Backend reports: XML submission email sent successfully.',
-        'resource_id' => $resource_id
+        'message' => '✓ SIMULATED: Email sending was skipped...',
+        'resource_id' => $resource_id,
+        'simulated' => true
     ]);
+    exit;  // ← ADD THIS
+}
+
+// reached in the normal production flow 
+error_log("send_xml_file.php: About to return success");
+ob_clean();
+header('Content-Type: application/json');
+echo json_encode([
+    'success' => true,
+    'message' => 'Backend reports: XML submission email sent successfully.',
+    'resource_id' => $resource_id,
+    'simulated' => false
+]);
 
 } catch (Exception $e) {
     error_log("XML Submit Error: " . $e->getMessage());
diff --git a/tests/DatabaseTestCase.php b/tests/DatabaseTestCase.php
index 6002ee391..2d9d84282 100644
--- a/tests/DatabaseTestCase.php
+++ b/tests/DatabaseTestCase.php
@@ -197,6 +197,7 @@ protected function cleanupTestData(): void
             'Originating_Laboratory_has_Affiliation',
             'Free_Keywords',
             'Affiliation',
+            'Rate_Limit',
             'Title',
             'Description',
             'Spatial_Temporal_Coverage',
diff --git a/tests/SecurityFunctionsTest.php b/tests/SecurityFunctionsTest.php
new file mode 100644
index 000000000..4398a4695
--- /dev/null
+++ b/tests/SecurityFunctionsTest.php
@@ -0,0 +1,470 @@
+<?php
+namespace Tests;
+
+use PHPUnit\Framework\TestCase;
+
+require_once __DIR__ . '/../api/security.php';
+
+/**
+ * Test suite for centralized security functions in api/security.php
+ * 
+ * Tests CSRF token generation/validation, honeypot detection, 
+ * rate limiting, and client IP detection.
+ */
+class SecurityFunctionsTest extends DatabaseTestCase
+{
+    protected function setUp(): void
+    {
+        parent::setUp();
+        
+        // Initialize session for CSRF tests
+        if (session_status() === PHP_SESSION_NONE) {
+            session_start();
+        }
+        
+        // Clean up session before each test
+        $_SESSION = [];
+    }
+
+    protected function tearDown(): void
+    {
+        parent::tearDown();
+        
+        // Clean up session
+        $_SESSION = [];
+        if (session_status() === PHP_SESSION_ACTIVE) {
+            session_destroy();
+        }
+    }
+
+    // ==================== CSRF Token Tests ====================
+
+    /**
+     * Tests that generateCsrfToken creates a 64-character hexadecimal string.
+     */
+    public function testGenerateCsrfTokenFormat(): void
+    {
+        $token = generateCsrfToken();
+        
+        // Token should be 64 hex characters (32 bytes * 2)
+        $this->assertIsString($token);
+        $this->assertEquals(64, strlen($token));
+        $this->assertMatchesRegularExpression('/^[a-f0-9]{64}$/', $token);
+    }
+
+    /**
+     * Tests that generateCsrfToken stores token in session.
+     */
+    public function testGenerateCsrfTokenStoresInSession(): void
+    {
+        $token = generateCsrfToken();
+        
+        $this->assertArrayHasKey('csrf_token', $_SESSION);
+        $this->assertEquals($token, $_SESSION['csrf_token']);
+        $this->assertArrayHasKey('csrf_token_time', $_SESSION);
+        $this->assertIsInt($_SESSION['csrf_token_time']);
+    }
+
+    /**
+     * Tests that generateCsrfToken produces different tokens on each call.
+     */
+    public function testGenerateCsrfTokenUnique(): void
+    {
+        $token1 = generateCsrfToken();
+        $token2 = generateCsrfToken();
+        
+        $this->assertNotEquals($token1, $token2);
+    }
+
+    /**
+     * Tests validateCsrfToken accepts a valid token.
+     */
+    public function testValidateCsrfTokenSuccess(): void
+    {
+        $token = generateCsrfToken();
+        
+        // Should validate successfully
+        $this->assertTrue(validateCsrfToken($token));
+    }
+
+    /**
+     * Tests validateCsrfToken rejects an empty token.
+     */
+    public function testValidateCsrfTokenEmpty(): void
+    {
+        generateCsrfToken(); // Set up valid session token
+        
+        // Empty submitted token should fail
+        $this->assertFalse(validateCsrfToken(''));
+    }
+
+    /**
+     * Tests validateCsrfToken rejects a mismatched token.
+     */
+    public function testValidateCsrfTokenMismatch(): void
+    {
+        generateCsrfToken();
+        
+        $wrongToken = 'a' . str_repeat('b', 63); // Wrong token
+        $this->assertFalse(validateCsrfToken($wrongToken));
+    }
+
+    /**
+     * Tests validateCsrfToken rejects when no session token exists.
+     */
+    public function testValidateCsrfTokenNoSessionToken(): void
+    {
+        // Don't generate a token, just try to validate
+        $this->assertFalse(validateCsrfToken('anytoken'));
+    }
+
+    /**
+     * Tests validateCsrfToken rejects expired tokens (older than 1 hour).
+     */
+    public function testValidateCsrfTokenExpiration(): void
+    {
+        $token = generateCsrfToken();
+        
+        // Manually set token time to 1 hour + 1 minute ago
+        $_SESSION['csrf_token_time'] = time() - 3661;
+        
+        $this->assertFalse(validateCsrfToken($token));
+    }
+
+    /**
+     * Tests validateCsrfToken accepts tokens less than 1 hour old.
+     */
+    public function testValidateCsrfTokenNotExpired(): void
+    {
+        $token = generateCsrfToken();
+        
+        // Manually set token time to 59 minutes ago
+        $_SESSION['csrf_token_time'] = time() - (59 * 60);
+        
+        $this->assertTrue(validateCsrfToken($token));
+    }
+
+    /**
+     * Tests invalidateCsrfToken removes token from session.
+     */
+    public function testInvalidateCsrfToken(): void
+    {
+        generateCsrfToken();
+        
+        // Verify token exists
+        $this->assertArrayHasKey('csrf_token', $_SESSION);
+        
+        invalidateCsrfToken();
+        
+        // Verify token is removed
+        $this->assertArrayNotHasKey('csrf_token', $_SESSION);
+        $this->assertArrayNotHasKey('csrf_token_time', $_SESSION);
+    }
+
+    // ==================== Honeypot Tests ====================
+
+    /**
+     * Tests validateHoneypot accepts empty values (legitimate users).
+     */
+    public function testValidateHoneypotEmpty(): void
+    {
+        $this->assertTrue(validateHoneypot(''));
+    }
+
+    /**
+     * Tests validateHoneypot accepts null (not filled).
+     */
+    public function testValidateHoneypotNull(): void
+    {
+        $this->assertTrue(validateHoneypot(null));
+    }
+
+    /**
+     * Tests validateHoneypot rejects filled values (bot detection).
+     */
+    public function testValidateHoneypotFilled(): void
+    {
+        $this->assertFalse(validateHoneypot('http://malicious-site.com'));
+        $this->assertFalse(validateHoneypot('bot'));
+        $this->assertFalse(validateHoneypot('any text'));
+    }
+
+    /**
+     * Tests validateHoneypot rejects whitespace-only values.
+     */
+    public function testValidateHoneypotWhitespace(): void
+    {
+        $this->assertFalse(validateHoneypot('   '));
+    }
+
+    // ==================== Client IP Tests ====================
+
+    /**
+     * Tests getClientIp returns REMOTE_ADDR when no proxy headers.
+     */
+    public function testGetClientIpRemoteAddr(): void
+    {
+        // Save original
+        $originalRemoteAddr = $_SERVER['REMOTE_ADDR'] ?? null;
+        
+        $_SERVER['REMOTE_ADDR'] = '192.168.1.100';
+        unset($_SERVER['HTTP_X_FORWARDED_FOR']);
+        unset($_SERVER['HTTP_X_REAL_IP']);
+        
+        $this->assertEquals('192.168.1.100', getClientIp());
+        
+        // Restore
+        if ($originalRemoteAddr) {
+            $_SERVER['REMOTE_ADDR'] = $originalRemoteAddr;
+        }
+    }
+
+    /**
+     * Tests getClientIp prioritizes X-Forwarded-For header.
+     */
+    public function testGetClientIpWithXForwardedFor(): void
+    {
+        $_SERVER['HTTP_X_FORWARDED_FOR'] = '203.0.113.50, 198.51.100.1';
+        $_SERVER['REMOTE_ADDR'] = '192.168.1.100';
+        unset($_SERVER['HTTP_X_REAL_IP']);
+        
+        // Should return the first IP from X-Forwarded-For
+        $this->assertEquals('203.0.113.50', getClientIp());
+        
+        unset($_SERVER['HTTP_X_FORWARDED_FOR']);
+    }
+
+    /**
+     * Tests getClientIp uses X-Real-IP when X-Forwarded-For not available.
+     */
+    public function testGetClientIpWithXRealIp(): void
+    {
+        unset($_SERVER['HTTP_X_FORWARDED_FOR']);
+        $_SERVER['HTTP_X_REAL_IP'] = '203.0.113.75';
+        $_SERVER['REMOTE_ADDR'] = '192.168.1.100';
+        
+        $this->assertEquals('203.0.113.75', getClientIp());
+        
+        unset($_SERVER['HTTP_X_REAL_IP']);
+    }
+
+    /**
+     * Tests getClientIp handles IPv6 addresses.
+     */
+    public function testGetClientIpIPv6(): void
+    {
+        $_SERVER['REMOTE_ADDR'] = '2001:db8::1';
+        unset($_SERVER['HTTP_X_FORWARDED_FOR']);
+        unset($_SERVER['HTTP_X_REAL_IP']);
+        
+        $this->assertEquals('2001:db8::1', getClientIp());
+    }
+
+    // ==================== Rate Limiting Tests ====================
+
+    /**
+     * Tests checkRateLimit allows submissions within limit.
+     */
+    public function testCheckRateLimitWithinBounds(): void
+    {
+        $clientIp = '203.0.113.100';
+        
+        // Record 2 submissions
+        recordRateLimit($this->connection, $clientIp, 'feedback');
+        recordRateLimit($this->connection, $clientIp, 'feedback');
+        
+        // Should allow 3rd submission (limit is 3 by default)
+        $this->assertTrue(
+            checkRateLimit(
+                $this->connection,
+                $clientIp,
+                'feedback',
+                RATE_LIMIT_FEEDBACK_MAX,
+                RATE_LIMIT_WINDOW_SECONDS
+            )
+        );
+    }
+
+    /**
+     * Tests checkRateLimit rejects submissions exceeding limit.
+     */
+    public function testCheckRateLimitExceeded(): void
+    {
+        $clientIp = '203.0.113.101';
+        
+        // Record 3 submissions (at the limit)
+        recordRateLimit($this->connection, $clientIp, 'feedback');
+        recordRateLimit($this->connection, $clientIp, 'feedback');
+        recordRateLimit($this->connection, $clientIp, 'feedback');
+        
+        // 4th submission should be rejected
+        $this->assertFalse(
+            checkRateLimit(
+                $this->connection,
+                $clientIp,
+                'feedback',
+                RATE_LIMIT_FEEDBACK_MAX,
+                RATE_LIMIT_WINDOW_SECONDS
+            )
+        );
+    }
+
+    /**
+     * Tests checkRateLimit maintains separate counters for different actions.
+     */
+    public function testCheckRateLimitMultipleActions(): void
+    {
+        $clientIp = '203.0.113.102';
+        
+        // Max 3 for feedback, 5 for save, 2 for submit (testing with smaller numbers)
+        $feedbackLimit = 3;
+        $saveLimit = 5;
+        $submitLimit = 2;
+        
+        // Record 3 feedback submissions (at limit)
+        recordRateLimit($this->connection, $clientIp, 'feedback');
+        recordRateLimit($this->connection, $clientIp, 'feedback');
+        recordRateLimit($this->connection, $clientIp, 'feedback');
+        
+        // Feedback should be blocked
+        $this->assertFalse(
+            checkRateLimit($this->connection, $clientIp, 'feedback', $feedbackLimit, RATE_LIMIT_WINDOW_SECONDS)
+        );
+        
+        // But save should still be allowed (separate counter)
+        $this->assertTrue(
+            checkRateLimit($this->connection, $clientIp, 'save', $saveLimit, RATE_LIMIT_WINDOW_SECONDS)
+        );
+        
+        // Record 2 save submissions (at limit)
+        recordRateLimit($this->connection, $clientIp, 'save');
+        recordRateLimit($this->connection, $clientIp, 'save');
+        
+        // Save should be allowed (2 < 5)
+        $this->assertTrue(
+            checkRateLimit($this->connection, $clientIp, 'save', $saveLimit, RATE_LIMIT_WINDOW_SECONDS)
+        );
+        
+        // Submit should be allowed
+        $this->assertTrue(
+            checkRateLimit($this->connection, $clientIp, 'submit', $submitLimit, RATE_LIMIT_WINDOW_SECONDS)
+        );
+    }
+
+    /**
+     * Tests recordRateLimit successfully records submission.
+     */
+    public function testRecordRateLimit(): void
+    {
+        $clientIp = '203.0.113.103';
+        $actionType = 'feedback';
+        
+        $result = recordRateLimit($this->connection, $clientIp, $actionType);
+        
+        $this->assertTrue($result);
+        
+        // Verify it was recorded in database
+        $stmt = $this->connection->prepare(
+            "SELECT COUNT(*) as count FROM Rate_Limit WHERE ip_address = ? AND action = ?"
+        );
+        $stmt->bind_param("ss", $clientIp, $actionType);
+        $stmt->execute();
+        $row = $stmt->get_result()->fetch_assoc();
+        $stmt->close();
+        
+        $this->assertEquals(1, $row['count']);
+    }
+
+    /**
+     * Tests checkRateLimit respects the time window.
+     */
+    public function testCheckRateLimitTimeWindow(): void
+    {
+        $clientIp = '203.0.113.104';
+        $actionType = 'feedback';
+        
+        // Record a submission now
+        recordRateLimit($this->connection, $clientIp, $actionType);
+        
+        // Check with 1-second window (should be within)
+        $this->assertTrue(
+            checkRateLimit($this->connection, $clientIp, $actionType, 1, 1)
+        );
+        
+        // Wait briefly
+        sleep(2);
+        
+        // Check with 1-second window (should be outside, reset)
+        $this->assertTrue(
+            checkRateLimit($this->connection, $clientIp, $actionType, 0, 1)
+        );
+    }
+
+    /**
+     * Tests checkRateLimit cleans up old entries.
+     */
+    public function testCheckRateLimitCleanup(): void
+    {
+        $clientIp = '203.0.113.105';
+        
+        // Manually insert an old entry (25 hours ago)
+        $oldTime = date('Y-m-d H:i:s', time() - (25 * 3600));
+        $stmt = $this->connection->prepare(
+            "INSERT INTO Rate_Limit (action, ip_address, submitted_at) VALUES (?, ?, ?)"
+        );
+        $action = 'feedback';
+        $stmt->bind_param("sss", $action, $clientIp, $oldTime);
+        $stmt->execute();
+        $stmt->close();
+        
+        // Verify it exists
+        $stmt = $this->connection->prepare(
+            "SELECT COUNT(*) as count FROM Rate_Limit WHERE ip_address = ?"
+        );
+        $stmt->bind_param("s", $clientIp);
+        $stmt->execute();
+        $before = $stmt->get_result()->fetch_assoc();
+        $stmt->close();
+        
+        $this->assertGreaterThan(0, $before['count']);
+        
+        // Call checkRateLimit which should trigger cleanup
+        checkRateLimit($this->connection, $clientIp, 'feedback', 3, 3600);
+        
+        // Verify old entry was cleaned up
+        $stmt = $this->connection->prepare(
+            "SELECT COUNT(*) as count FROM Rate_Limit WHERE ip_address = ? AND submitted_at < DATE_SUB(NOW(), INTERVAL 24 HOUR)"
+        );
+        $stmt->bind_param("s", $clientIp);
+        $stmt->execute();
+        $after = $stmt->get_result()->fetch_assoc();
+        $stmt->close();
+        
+        $this->assertEquals(0, $after['count']);
+    }
+
+    /**
+     * Tests that different IPs have independent rate limit counters.
+     */
+    public function testCheckRateLimitIsolationByIP(): void
+    {
+        $ip1 = '203.0.113.106';
+        $ip2 = '203.0.113.107';
+        
+        // Record 3 submissions from IP1
+        recordRateLimit($this->connection, $ip1, 'feedback');
+        recordRateLimit($this->connection, $ip1, 'feedback');
+        recordRateLimit($this->connection, $ip1, 'feedback');
+        
+        // IP1 should be blocked
+        $this->assertFalse(
+            checkRateLimit($this->connection, $ip1, 'feedback', 3, RATE_LIMIT_WINDOW_SECONDS)
+        );
+        
+        // IP2 should still be allowed
+        $this->assertTrue(
+            checkRateLimit($this->connection, $ip2, 'feedback', 3, RATE_LIMIT_WINDOW_SECONDS)
+        );
+    }
+}
+?>
diff --git a/tests/playwright/features/save-security.spec.ts b/tests/playwright/features/save-security.spec.ts
new file mode 100644
index 000000000..7dbb87858
--- /dev/null
+++ b/tests/playwright/features/save-security.spec.ts
@@ -0,0 +1,259 @@
+import { test, expect, type Page } from '@playwright/test';
+import { navigateToHome, SELECTORS } from '../utils';
+
+const SAVE_ENDPOINT = '**/save/save_data.php';
+const CSRF_ENDPOINT = '**/api/csrf_token.php';
+
+
+/**
+ * Helper function to find and interact with the save button
+ */
+async function getSaveButton(page: Page) {
+  // Could be in navbar or main form
+  const saveBtn = page.locator('button:has-text("Save")').first();
+  return saveBtn;
+}
+// This test also checks the ability to execute save on an empty form.
+test.describe('Save Operation Security Features', () => {
+  test.describe('Honeypot field validation', () => {
+    test('honeypot field exists in main form and is empty initially', async ({ page }) => {
+      await navigateToHome(page);
+      
+      const honeypotField = page.locator('input[name="website"]');
+      await expect(honeypotField).toBeInViewport({ ratio: 0 }); // Hidden but in DOM
+      await expect(honeypotField).toHaveValue(''); // Should be empty for legitimate users
+    });
+
+    test('honeypot is reset when save modal opens', async ({ page }) => {
+      await navigateToHome(page);
+      
+      // Manually fill honeypot (simulating bot behavior)
+      await page.locator('input[name="website"]').fill('bot-filled-value');
+      
+      const saveBtn = await getSaveButton(page);
+      if (await saveBtn.isVisible()) {
+        await saveBtn.click();
+        
+        // Wait for save modal to appear
+        await page.waitForSelector('#modal-saveas', { state: 'visible' });
+        
+        // Honeypot should be reset to empty after modal opens
+        const honeypot = page.locator('input[name="website"]');
+        await expect(honeypot).toHaveValue('');
+      }
+    });
+
+    test('backend rejects save when honeypot is filled (bot detection)', async ({ page }) => {
+      let capturedFields: Record<string, string> = {};
+      
+      await page.route(SAVE_ENDPOINT, async (route) => {
+        const postData = route.request().postData() || '';
+        const params = new URLSearchParams(postData);
+        for (const [key, value] of params.entries()) {
+          capturedFields[key] = value;
+        }
+        
+        const websiteField = capturedFields['website'];
+        
+        // Simulate bot: honeypot was filled
+        if (websiteField && websiteField.length > 0) {
+          await route.fulfill({
+            status: 400,
+            contentType: 'application/json',
+            body: JSON.stringify({
+              success: false,
+              message: 'Invalid request',
+            }),
+          });
+        } else {
+          await route.fulfill({
+            status: 200,
+            contentType: 'application/json',
+            body: JSON.stringify({ success: true, message: 'Saved' }),
+          });
+        }
+      });
+      
+      await navigateToHome(page);
+      
+      // Simulate bot filling honeypot
+      await page.locator('input[name="website"]').fill('bot-value');
+      
+      const saveBtn = await getSaveButton(page);
+      if (await saveBtn.isVisible()) {
+        await saveBtn.click();
+        
+        // Wait for modal and confirm save
+        await page.waitForSelector('#modal-saveas', { state: 'visible' });
+        const confirmBtn = page.locator('#button-saveas-save');
+        if (await confirmBtn.isVisible()) {
+          await confirmBtn.click();
+          
+          // Wait for response
+          await page.waitForResponse((response) =>
+            response.url().includes('save_data.php')
+          );
+          
+          // Should show error for honeypot detection
+          const errorAlert = page.locator('.alert-danger');
+          if (await errorAlert.count() > 0) {
+            await expect(errorAlert).toBeVisible();
+          }
+        }
+      }
+      
+      await page.unroute(SAVE_ENDPOINT);
+    });
+  });
+
+  test.describe('Security fields in save operation', () => {
+    test('save operation is processed by backend security validation', async ({ page }) => {
+      // Save doesn't have a dedicated modal with UI security fields,
+      // but backend (save_data.php) validates:
+      // - Honeypot (if present in form POST data)
+      // - CSRF token
+      // - Rate limiting
+      // - Time spent validation
+      
+      // This test verifies that the save endpoint validates these server-side
+      // even if they're not visible in a dedicated modal
+      
+      let responseStatus = 0;
+      
+      await page.route(SAVE_ENDPOINT, async (route) => {
+        responseStatus = 200;
+        await route.fulfill({
+          status: 200,
+          contentType: 'application/json',
+          body: JSON.stringify({ success: true, message: 'Saved' }),
+        });
+      });
+      
+      await navigateToHome(page);
+      
+      const saveBtn = await getSaveButton(page);
+      if (await saveBtn.isVisible()) {
+        await saveBtn.click();
+        await page.waitForTimeout(500);
+        
+        // Verify save endpoint was called
+        expect(responseStatus).toBe(200);
+      }
+      
+      await page.unroute(SAVE_ENDPOINT);
+    });
+  });
+
+  test.describe('CSRF token protection in save', () => {
+    test('save form includes CSRF token field', async ({ page }) => {
+      await navigateToHome(page);
+            
+      // Check for hidden CSRF field
+      const csrfField = page.locator('input[name="csrf_token"]');
+      
+      if (await csrfField.count() > 0) {
+        await expect(csrfField).toHaveAttribute('type', 'hidden');
+      }
+    });
+
+    test('save form includes security fields in submission', async ({ page }) => {
+      let capturedFields: Record<string, string> = {};
+      
+      await page.route(SAVE_ENDPOINT, async (route) => {
+        const postData = route.request().postData() || '';
+        const params = new URLSearchParams(postData);
+        for (const [key, value] of params.entries()) {
+          capturedFields[key] = value;
+        }
+        
+        await route.fulfill({
+          status: 200,
+          contentType: 'application/json',
+          body: JSON.stringify({ success: true, message: 'Saved' }),
+        });
+      });
+      
+      await navigateToHome(page);
+            
+      const saveBtn = await getSaveButton(page);
+      if (await saveBtn.isVisible()) {
+        await saveBtn.click();
+        
+        await page.waitForTimeout(1000);
+        
+        // Verify security fields are present
+        expect(capturedFields).toHaveProperty('csrf_token');
+        expect(capturedFields).toHaveProperty('website');
+        expect(capturedFields['csrf_token'].length).toBeGreaterThan(0);
+      }
+      
+      await page.unroute(SAVE_ENDPOINT);
+    });
+  });
+
+  test.describe('Rate limiting on save operations', () => {
+    test('shows rate limit error message when server returns 429', async ({ page }) => {
+      await page.route(SAVE_ENDPOINT, async (route) => {
+        await route.fulfill({
+          status: 429,
+          contentType: 'application/json',
+          body: JSON.stringify({
+            success: false,
+            message: 'Too many save requests. Please try again later.',
+          }),
+        });
+      });
+      
+      await navigateToHome(page);
+            
+      const saveBtn = await getSaveButton(page);
+      if (await saveBtn.isVisible()) {
+        await saveBtn.click();
+        
+        // Wait for response
+        await page.waitForResponse((response) =>
+          response.url().includes('save_data.php')
+        );
+        
+        // Check for error message
+        const errorAlert = page.locator('.alert-danger');
+        if (await errorAlert.count() > 0) {
+          await expect(errorAlert).toBeVisible();
+        }
+      }
+      
+      await page.unroute(SAVE_ENDPOINT);
+    });
+
+    test('shows CSRF error message when token is invalid for save', async ({ page }) => {
+      await page.route(SAVE_ENDPOINT, async (route) => {
+        await route.fulfill({
+          status: 403,
+          contentType: 'application/json',
+          body: JSON.stringify({
+            success: false,
+            message: 'Invalid request - CSRF token validation failed',
+          }),
+        });
+      });
+      
+      await navigateToHome(page);
+            
+      const saveBtn = await getSaveButton(page);
+      if (await saveBtn.isVisible()) {
+        await saveBtn.click();
+        
+        await page.waitForResponse((response) =>
+          response.url().includes('save_data.php')
+        );
+        
+        const errorAlert = page.locator('.alert-danger');
+        if (await errorAlert.count() > 0) {
+          await expect(errorAlert).toBeVisible();
+        }
+      }
+      
+      await page.unroute(SAVE_ENDPOINT);
+    });
+  });
+});
\ No newline at end of file
diff --git a/tests/playwright/features/submit-security.spec.ts b/tests/playwright/features/submit-security.spec.ts
new file mode 100644
index 000000000..a86f6c587
--- /dev/null
+++ b/tests/playwright/features/submit-security.spec.ts
@@ -0,0 +1,235 @@
+import { test, expect } from '@playwright/test';
+import { navigateToHome, completeMinimalDatasetForm } from '../utils';
+
+const SUBMIT_ENDPOINT = '**/api/v2/controllers/SubmitController.php';
+
+test.describe('Submit Operation Security Features', () => {
+  test.beforeEach(async ({ page }) => {
+    await navigateToHome(page);
+  });
+
+  test.describe('Honeypot field protection in submit form', () => {
+    test('honeypot field exists but is hidden in submit form', async ({ page }) => {
+      await completeMinimalDatasetForm(page);
+
+      // Open submit modal
+      const submitBtn = page.locator('#button-form-submit');
+      await submitBtn.scrollIntoViewIfNeeded();
+      await submitBtn.click();
+      const submitModal = page.locator('#modal-submit');
+      await expect(submitModal).toBeVisible({ timeout: 5000 });
+
+      // Check honeypot field
+      const honeypotField = page.locator('#modal-submit input[name="website"]').first();
+      const honeypotCount = await honeypotField.count();
+
+      if (honeypotCount > 0) {
+        await expect(honeypotField).toHaveAttribute('tabindex', '-1');
+        await expect(honeypotField).toHaveAttribute('autocomplete', 'off');
+        await expect(honeypotField).toHaveAttribute('type', 'text');
+      }
+    });
+
+    test('honeypot field is empty in submit form', async ({ page }) => {
+      await completeMinimalDatasetForm(page);
+
+      const submitBtn = page.locator('#button-form-submit');
+      await submitBtn.scrollIntoViewIfNeeded();
+      await submitBtn.click();
+      await expect(page.locator('#modal-submit')).toBeVisible({ timeout: 5000 });
+
+      const honeypotField = page.locator('#modal-submit input[name="website"]').first();
+      const honeypotCount = await honeypotField.count();
+
+      if (honeypotCount > 0) {
+        await expect(honeypotField).toHaveValue('');
+      }
+    });
+
+    test('submit form includes honeypot field in submission', async ({ page }) => {
+      let capturedFormData: Record<string, string> = {};
+
+      await page.route(SUBMIT_ENDPOINT, async route => {
+        try {
+          const postData = route.request().postData();
+          if (postData) {
+            const params = new URLSearchParams(postData);
+            params.forEach((value, key) => {
+              capturedFormData[key] = value;
+            });
+          }
+        } catch (e) {
+          console.log('Error capturing form data:', e);
+        }
+
+        await route.fulfill({
+          status: 200,
+          contentType: 'application/json',
+          body: JSON.stringify({ success: true, message: 'Submitted' }),
+        });
+      });
+
+      await completeMinimalDatasetForm(page);
+
+      const submitBtn = page.locator('#button-form-submit');
+      await submitBtn.scrollIntoViewIfNeeded();
+      await submitBtn.click();
+      await expect(page.locator('#modal-submit')).toBeVisible({ timeout: 5000 });
+
+      const honeypotField = page.locator('#modal-submit input[name="website"]').first();
+      const honeypotCount = await honeypotField.count();
+
+      if (honeypotCount > 0) {
+        await expect(honeypotField).toHaveValue('');
+        
+        // Submit the form
+        const submitFormBtn = page.locator('#modal-submit button[type="submit"]').first();
+        await submitFormBtn.click();
+        await page.waitForTimeout(500);
+
+        // Verify honeypot was sent (should be empty)
+        if (capturedFormData['website'] !== undefined) {
+          expect(capturedFormData['website']).toBe('');
+        }
+      }
+
+      await page.unroute(SUBMIT_ENDPOINT);
+    });
+  });
+
+  test.describe('CSRF token protection in submit', () => {
+    test('submit form includes CSRF token field', async ({ page }) => {
+      await completeMinimalDatasetForm(page);
+
+      const submitBtn = page.locator('#button-form-submit');
+      await submitBtn.scrollIntoViewIfNeeded();
+      await submitBtn.click();
+      await expect(page.locator('#modal-submit')).toBeVisible({ timeout: 5000 });
+
+      const csrfField = page.locator('#modal-submit input[name="csrf_token"]').first();
+      const csrfCount = await csrfField.count();
+
+      if (csrfCount > 0) {
+        await expect(csrfField).toHaveAttribute('type', 'hidden');
+        const tokenValue = await csrfField.inputValue();
+        expect(tokenValue).toBeTruthy();
+        expect(tokenValue?.length).toBeGreaterThan(0);
+      }
+    });
+
+    test('submit form includes security fields in submission', async ({ page }) => {
+      const securityFieldsFound = {
+        csrf_token: false,
+        website: false,
+      };
+
+      await page.route(SUBMIT_ENDPOINT, async route => {
+        try {
+          const postData = route.request().postData() || '';
+          const params = new URLSearchParams(postData);
+
+          if (params.has('csrf_token')) {
+            securityFieldsFound.csrf_token = true;
+          }
+          if (params.has('website')) {
+            securityFieldsFound.website = true;
+          }
+        } catch (e) {
+          console.log('Error checking security fields:', e);
+        }
+
+        await route.fulfill({
+          status: 200,
+          contentType: 'application/json',
+          body: JSON.stringify({ success: true, message: 'Submitted' }),
+        });
+      });
+
+      await completeMinimalDatasetForm(page);
+      const submitBtn = page.locator('#button-form-submit');
+      await submitBtn.scrollIntoViewIfNeeded();
+      await submitBtn.click();
+      await expect(page.locator('#modal-submit')).toBeVisible({ timeout: 5000 });
+
+      const submitFormBtn = page.locator('#modal-submit button[type="submit"]').first();
+      await submitFormBtn.click();
+      await page.waitForTimeout(500);
+
+      expect(securityFieldsFound.csrf_token).toBe(true);
+      expect(securityFieldsFound.website).toBe(true);
+
+      await page.unroute(SUBMIT_ENDPOINT);
+    });
+  });
+
+  test.describe('Rate limiting on submit operations', () => {
+    test('shows rate limit error message when server returns 429 on submit', async ({ page }) => {
+      await page.route(SUBMIT_ENDPOINT, async route => {
+        await route.fulfill({
+          status: 429,
+          contentType: 'application/json',
+          body: JSON.stringify({
+            success: false,
+            message: 'Too many submission requests.',
+          }),
+        });
+      });
+
+      await completeMinimalDatasetForm(page);
+
+      const submitBtn = page.locator('#button-form-submit');
+      await submitBtn.scrollIntoViewIfNeeded();
+      await submitBtn.click();
+      await expect(page.locator('#modal-submit')).toBeVisible({ timeout: 5000 });
+
+      const submitFormBtn = page.locator('#modal-submit button[type="submit"]').first();
+      await submitFormBtn.click();
+
+      // Wait for error to appear
+      await page.waitForTimeout(1500);
+
+      const errorAlert = page.locator('.alert-danger, .alert-error, [role="alert"]').first();
+      const errorExists = await errorAlert.count() > 0;
+
+      if (errorExists) {
+        await expect(errorAlert).toBeVisible({ timeout: 3000 });
+      }
+
+      await page.unroute(SUBMIT_ENDPOINT);
+    });
+
+    test('shows CSRF error message when token is invalid for submit', async ({ page }) => {
+      await page.route(SUBMIT_ENDPOINT, async route => {
+        await route.fulfill({
+          status: 403,
+          contentType: 'application/json',
+          body: JSON.stringify({
+            success: false,
+            message: 'Invalid CSRF token',
+          }),
+        });
+      });
+
+      await completeMinimalDatasetForm(page);
+
+      const submitBtn = page.locator('#button-form-submit');
+      await submitBtn.scrollIntoViewIfNeeded();
+      await submitBtn.click();
+      await expect(page.locator('#modal-submit')).toBeVisible({ timeout: 5000 });
+
+      const submitFormBtn = page.locator('#modal-submit button[type="submit"]').first();
+      await submitFormBtn.click();
+
+      await page.waitForTimeout(1500);
+
+      const errorAlert = page.locator('.alert-danger, .alert-error, [role="alert"]').first();
+      const errorExists = await errorAlert.count() > 0;
+
+      if (errorExists) {
+        await expect(errorAlert).toBeVisible({ timeout: 3000 });
+      }
+
+      await page.unroute(SUBMIT_ENDPOINT);
+    });
+  });
+});