Tweet
Hello -- I saw this in the FaaS docs and I want to make sure I'm implementing it correctly in our Salesforce Lightning Community (which is open to the unauthenticated public):
"To prevent spam and fraudulent attacks on webforms that use Click & Pledge’s API all forms must include reCAPTCHA to validate patrons." (Source: https://manual.clickandpledge.com/Fo...a-Service.html)
Does the following sound like a good amount of security for FaaS?
- The html form does not include the Form URL (https://faas.cloud.clickandpledge.com), AccountIdNumber, or AccountGuid on initial render.
- The html form does include a google reCAPTCHA (v2, the checkbox)
- When the reCAPTCHA is verified, the submit button appears
- When the submit button is clicked, the result of the reCAPTCHA is sent to Apex for server-side validation of the reCAPTCHA.
- If the server-side reCAPTCHA validation succeeds, then apex sends the values for URL, AccountIdNumber, and AccountGuid back to the client (javascript)
- Javascript sets the Form URL, AccountIdNumber, and AccountGuid in the html form and then submits it
I think this will successfully prevent bots. The only thing I'm worried about is that if a person succeeds in the reCAPTCHA verification and submits the form, then they would have all of the information they need (Form URL, AccountIdNumber, and AccountGuid) to make their own form and submit it at will.
Does that sound like a valid concern? Is there anything else I can do to increase security with FaaS?
"To prevent spam and fraudulent attacks on webforms that use Click & Pledge’s API all forms must include reCAPTCHA to validate patrons." (Source: https://manual.clickandpledge.com/Fo...a-Service.html)
Does the following sound like a good amount of security for FaaS?
- The html form does not include the Form URL (https://faas.cloud.clickandpledge.com), AccountIdNumber, or AccountGuid on initial render.
- The html form does include a google reCAPTCHA (v2, the checkbox)
- When the reCAPTCHA is verified, the submit button appears
- When the submit button is clicked, the result of the reCAPTCHA is sent to Apex for server-side validation of the reCAPTCHA.
- If the server-side reCAPTCHA validation succeeds, then apex sends the values for URL, AccountIdNumber, and AccountGuid back to the client (javascript)
- Javascript sets the Form URL, AccountIdNumber, and AccountGuid in the html form and then submits it
I think this will successfully prevent bots. The only thing I'm worried about is that if a person succeeds in the reCAPTCHA verification and submits the form, then they would have all of the information they need (Form URL, AccountIdNumber, and AccountGuid) to make their own form and submit it at will.
Does that sound like a valid concern? Is there anything else I can do to increase security with FaaS?
Comment