Forms API - Preventing Users to Submit without API Key

SOLVE
rawsly
Member

Hello,

 

I have built a custom form with React.js for Forms using Forms API. However, I could not find any information about how to prevent user to send a post request without an API key. In the end, user is able to fill a form and send a multiple request without any security clearance. What I want to achieve is to embed my API key with PHP in the backend part of the form, so that users will not be able to send a post request with 3rd party applications like "Postman".

1 Accepted solution
tjoyce
Solution
Recognized Expert | Platinum Partner

@rawsly - The ReCaptcha is basically it.. 

I see your concern and the question however, HS is no different than any other form on the internet.

I can take any form that submits with JS and drop it into postman, grab the exposed front-end key (if it exists) and make as many postman requests as I like.

 

Some mitigation steps that can be taken are

1. Force request origins from only known domains

2. CSRF tokens

3. ReCaptcha

 

You raise a good question though, and I think white list domains similar to how Google App Engine does it would be a really nice feature that I haven't seen in HS yet.

 

So, I think you're left with building your own security which would mean... Show no reminents of HS form submission in your front-end, sanitize the data when it hits your WP API as best you can, then submit the data through the HS API... and make sure you are doing front end and back end validation. You can also make sure the form submission origin is from your own domain white list... 

 

This would leave a lot of guessing that would have to happen for an attacker to figure out the HS API endpoint to submit your form

 


If this answer helped, please, mark as solved 😄


tim@belch.io | forms.belch.io | Design your own Beautiful HubSpot Forms; No coding necessary.

 

Drop by and say Hi to me on slack.

View solution in original post

4 Replies 4
tjoyce
Recognized Expert | Platinum Partner

@rawsly - This official PHP package for HS is my go to... https://github.com/HubSpot/hubspot-php

I use this composer package in my Laravel apps and accomplish just this by setting the API key in a .env file.

Laravel also ships with CSRF protection which means the postman requests should be invalidated if the request wasn't generated from your server with the session signed token. Since postman can't generate those CSRF tokens, you might try that approach.

https://laravel.com/docs/8.x/csrf

 

And yes, CSRF should work seamlessly with your react front-end... I use them in vue all the time, as long as the form is sitting on the same server that is generating the token 😄

 


If this answer helped, please, mark as solved 😄


tim@belch.io | forms.belch.io | Design your own Beautiful HubSpot Forms; No coding necessary.

 

Drop by and say Hi to me on slack.

 

rawsly
Member

Hello @tjoyce,

I am using Wordpress as backend. But it is not relevant I guess. In the end, I will probably be able to hide my API key with no problem. My question is that "Is there a specific reason why Forms API Submit Form Data does not require an authentication?".

 

I mean what happens if a malicious user tries to send a request to this public API repeatedly? Is there a way to stop the user besides that using reCaptcha to protect the form?

tjoyce
Solution
Recognized Expert | Platinum Partner

@rawsly - The ReCaptcha is basically it.. 

I see your concern and the question however, HS is no different than any other form on the internet.

I can take any form that submits with JS and drop it into postman, grab the exposed front-end key (if it exists) and make as many postman requests as I like.

 

Some mitigation steps that can be taken are

1. Force request origins from only known domains

2. CSRF tokens

3. ReCaptcha

 

You raise a good question though, and I think white list domains similar to how Google App Engine does it would be a really nice feature that I haven't seen in HS yet.

 

So, I think you're left with building your own security which would mean... Show no reminents of HS form submission in your front-end, sanitize the data when it hits your WP API as best you can, then submit the data through the HS API... and make sure you are doing front end and back end validation. You can also make sure the form submission origin is from your own domain white list... 

 

This would leave a lot of guessing that would have to happen for an attacker to figure out the HS API endpoint to submit your form

 


If this answer helped, please, mark as solved 😄


tim@belch.io | forms.belch.io | Design your own Beautiful HubSpot Forms; No coding necessary.

 

Drop by and say Hi to me on slack.

dennisedson
Community Manager

Hey @rawsly this is an interesting question. 

Curious to underdstand more. 

@tjoyce basically knows everything about everything so I will add him to the convo as well 😀

Thanks,

Dennis




Check out our Community Developer Blog
where we feature our Community driven developer podcast and how to content