No announcement yet.


  • Filter
  • Time
  • Show
Clear All
new posts

  • reCAPTCHA/Security

    Hello -- I saw this in the FaaS docs and I want to make sure I'm implementing it correctly in our Salesforce Lightning Community (which is open to the unauthenticated public):
    "To prevent spam and fraudulent attacks on webforms that use Click & Pledge’s API all forms must include reCAPTCHA to validate patrons." (Source:

    Does the following sound like a good amount of security for FaaS?
    - The html form does not include the Form URL (, AccountIdNumber, or AccountGuid on initial render.
    - The html form does include a google reCAPTCHA (v2, the checkbox)
    - When the reCAPTCHA is verified, the submit button appears
    - When the submit button is clicked, the result of the reCAPTCHA is sent to Apex for server-side validation of the reCAPTCHA.
    - If the server-side reCAPTCHA validation succeeds, then apex sends the values for URL, AccountIdNumber, and AccountGuid back to the client (javascript)
    - Javascript sets the Form URL, AccountIdNumber, and AccountGuid in the html form and then submits it

    I think this will successfully prevent bots. The only thing I'm worried about is that if a person succeeds in the reCAPTCHA verification and submits the form, then they would have all of the information they need (Form URL, AccountIdNumber, and AccountGuid) to make their own form and submit it at will.

    Does that sound like a valid concern? Is there anything else I can do to increase security with FaaS?

  • #2
    You can prevent it by using localstorage instead of URL parameters so once it append, you can clear the browser localstorage.
    Click & Pledge Support Department

    On Salesforce? Help us by rating our app: Click & Pledge Donor Management on AppExchange

    Join us @ the educational webinars:
    Live Support available Join between 3:00 - 3:30 p.m. ET Monday - Thursday:
    Are you on Salesforce? Join us at the Power of Us Hub:


    • #3
      Thanks -- I wasn't convinced that localstorage would 100% hide Form URL, AccountIdNumber and AccountGuid from the user. But I did find that I can limit the URLs that can post form via C&P Connect:

      Settings > API Information > Allowed URLs