Announcement

Collapse
No announcement yet.

reCAPTCHA/Security

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Perc-BRC
    replied
    Thanks -- I wasn't convinced that localstorage would 100% hide Form URL, AccountIdNumber and AccountGuid from the user. But I did find that I can limit the URLs that can post form via C&P Connect:

    Settings > API Information > Allowed URLs

    Leave a comment:


  • CnP.Support.AM
    replied
    You can prevent it by using localstorage instead of URL parameters so once it append, you can clear the browser localstorage.

    Leave a comment:


  • Perc-BRC
    started a topic reCAPTCHA/Security

    reCAPTCHA/Security

    Hello -- I saw this in the FaaS docs and I want to make sure I'm implementing it correctly in our Salesforce Lightning Community (which is open to the unauthenticated public):
    "To prevent spam and fraudulent attacks on webforms that use Click & Pledge’s API all forms must include reCAPTCHA to validate patrons." (Source: https://manual.clickandpledge.com/Fo...a-Service.html)

    Does the following sound like a good amount of security for FaaS?
    - The html form does not include the Form URL (https://faas.cloud.clickandpledge.com), AccountIdNumber, or AccountGuid on initial render.
    - The html form does include a google reCAPTCHA (v2, the checkbox)
    - When the reCAPTCHA is verified, the submit button appears
    - When the submit button is clicked, the result of the reCAPTCHA is sent to Apex for server-side validation of the reCAPTCHA.
    - If the server-side reCAPTCHA validation succeeds, then apex sends the values for URL, AccountIdNumber, and AccountGuid back to the client (javascript)
    - Javascript sets the Form URL, AccountIdNumber, and AccountGuid in the html form and then submits it

    I think this will successfully prevent bots. The only thing I'm worried about is that if a person succeeds in the reCAPTCHA verification and submits the form, then they would have all of the information they need (Form URL, AccountIdNumber, and AccountGuid) to make their own form and submit it at will.

    Does that sound like a valid concern? Is there anything else I can do to increase security with FaaS?
Working...
X