Security considerations for a contact form?

Hello Cloudflare Community,

I’m building a simple contact form for my personal website that is using a Worker to send me a notification email via Sendgrid REST API. I’m using a Sitepoint tutorial “Form Handling for Jamstack Sites Using Cloudflare Workers” for my guide. My account is new so I can’t link to it.

I’m adding schema validation to the data being collected, and looking at Validator.js for sanitizing email data. Secrets are being handled by Cloudflare Secrets. Logs will be sent to Sentry or another service.

Are there additional security considerations I’m overlooking?

Specifically:

  • Do I need to add code for rate limiting?
  • Do I need an API gateway?
  • Other vectors I need to consider?

I’m new to Workers and serverless, so the question might be overly broad. I’ll go ahead and ask because I haven’t found a lot of documentation on hardening Workers for production. Much appreciated.

  • Do I need to add code for rate limiting?

Most likely, bots love spamming those forms. They also love attempting to break into them (xss, sql attacks).
You should verify whether its cheaper to absorb the attacks or to pay for rate limit.

  • Do I need an API gateway?

CF has an API Shield but it’s mostly enterprise oriented. Probably not worth the investment in your case.

  • Other vectors I need to consider?

Add a Captcha to the form, those add friction but are usually effective against bot attacks. I can recommend hCaptcha, they have recently added some security updates that make their product very interesting.

1 Like

Thanks @jnperamo, your response filled in a lot of knowledge gaps.

After reading this, I followed up with a Services Advisor. They pointed me to the WAF rules for rate limits and Worker pay as you go rate limiting. I’ll give hCaptcha a look. Here’s hoping it’s accessible. I’ll have to look at alternatives like a honeypot and timing code if not.

Either way I’ve got enough to move forward with this project.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.