topic Re: Forms API - Preventing Users to Submit without API Key in APIs & Integrations

Forms API - Preventing Users to Submit without API Key

rawsly — Mon, 21 Dec 2020 10:47:08 GMT

Hello,

I have built a custom form with React.js for Forms using Forms API. However, I could not find any information about how to prevent user to send a post request without an API key. In the end, user is able to fill a form and send a multiple request without any security clearance. What I want to achieve is to embed my API key with PHP in the backend part of the form, so that users will not be able to send a post request with 3rd party applications like "Postman".

Re: Forms API - Preventing Users to Submit without API Key

dennisedson — Mon, 21 Dec 2020 20:58:58 GMT

Hey @rawsly this is an interesting question.

Curious to underdstand more.

@tjoyce basically knows everything about everything so I will add him to the convo as well 😀

Re: Forms API - Preventing Users to Submit without API Key

tjoyce — Tue, 22 Dec 2020 08:21:00 GMT

@rawsly - This official PHP package for HS is my go to... https://github.com/HubSpot/hubspot-php

I use this composer package in my Laravel apps and accomplish just this by setting the API key in a .env file.

Laravel also ships with CSRF protection which means the postman requests should be invalidated if the request wasn't generated from your server with the session signed token. Since postman can't generate those CSRF tokens, you might try that approach.

https://laravel.com/docs/8.x/csrf

And yes, CSRF should work seamlessly with your react front-end... I use them in vue all the time, as long as the form is sitting on the same server that is generating the token 😄

If this answer helped, please, mark as solved 😄

tim@belch.io | forms.belch.io | Design your own Beautiful HubSpot Forms; No coding necessary.

Drop by and say Hi to me on slack.

Re: Forms API - Preventing Users to Submit without API Key

rawsly — Tue, 22 Dec 2020 23:31:08 GMT

Hello @tjoyce,

I am using Wordpress as backend. But it is not relevant I guess. In the end, I will probably be able to hide my API key with no problem. My question is that "Is there a specific reason why Forms API Submit Form Data does not require an authentication?".

I mean what happens if a malicious user tries to send a request to this public API repeatedly? Is there a way to stop the user besides that using reCaptcha to protect the form?

Re: Forms API - Preventing Users to Submit without API Key

tjoyce — Wed, 23 Dec 2020 08:54:57 GMT

@rawsly - The ReCaptcha is basically it..

I see your concern and the question however, HS is no different than any other form on the internet.

I can take any form that submits with JS and drop it into postman, grab the exposed front-end key (if it exists) and make as many postman requests as I like.

Some mitigation steps that can be taken are

1. Force request origins from only known domains

2. CSRF tokens

3. ReCaptcha

You raise a good question though, and I think white list domains similar to how Google App Engine does it would be a really nice feature that I haven't seen in HS yet.

So, I think you're left with building your own security which would mean... Show no reminents of HS form submission in your front-end, sanitize the data when it hits your WP API as best you can, then submit the data through the HS API... and make sure you are doing front end and back end validation. You can also make sure the form submission origin is from your own domain white list...

This would leave a lot of guessing that would have to happen for an attacker to figure out the HS API endpoint to submit your form

If this answer helped, please, mark as solved 😄

tim@belch.io | forms.belch.io | Design your own Beautiful HubSpot Forms; No coding necessary.

Drop by and say Hi to me on slack.