Hi there, we’ve been using netlify and we’ve been satisfied with it so far, thanks for all the hard work you guys have put in.
I have a question, and its regarding the built-in forms provided by Netlify. Lets say I have a contact us form and some of the fields are required before. To give an example, a form with name (required) and message (optional) [client side validation].
Our audit team has tried intercepting the form submission request using their “BurpSuite” and they have managed to alter the request such that they remove the required field (name) and they managed to hit the endpoint and submit this altered request.
Is there any feature / protection measures that are available on Netlify, to prevent an interception of the request?
Thanks for taking the time to answer this question.
Hi @cavacado, thanks for posting and welcome to the Netlify support Forums.
Very good question.
You can do client-side validation as you indicated.
However, unfortunately Netlify forms does not currently have an API for you to do backend form validation.
An alternative solution will be to POST the form data to a Netlify function and then validate the form data for the required fields as you stated. If the validation requirments are not met then you can respond with an error message, redirect e.t.c to the end user.
Once the form data is valid after the passing the required validation, you can use SMTP clients such as Nodemailer, Emailjs e.t.c to send the form data to your email just like how Netlify forms forwards the submissions to your configured email. You can also use third party providers like SendGrid e.t.c as well to send form data to your email.
If you submit the form without any name input, it would fail, however, as soon as you add any string to the name input, it works.
You’d have to customise this for your needs, though. Also, I’m not sure how well this would work for forms with file uploads, so that’s something to be cautious about.
An important note though, Edge Functions are in Beta right now and can fail sometimes. It’s not recommended yet for mission critical apps where even a single miss can cause serious issues.