cwsoft Posted May 30, 2023 Share Posted May 30, 2023 Hello, quite new to PW. I have a project, which uses a frontend form build with basic fields (InputFieldForm) and no user registration or frontend login. What are the best or proposed strategies to secure the form from spam bots and malicious script kids using PW basic fields? Actual form has just build in CSRF protection, but no other stuff like honeypot fields or tracking of failed submits via Session tracking of IP etc. Form will be used by about 100-150 people, but once the stuff goes live, anybody knowing the Url can try to break things. My consideration so far. 1. Add honeypot fields (spam bots) and Captcha to make script attacks less likely 2. Track failed/double submits and ban IP for some increasing time 3. Switch to the free FrontendForms module by Jürgen listed in the PW repo 4. Hide the form behind a PW login page (means to add 1-100 Dummy users with same/individual credentials) What would you propose? Are there links or code snippets showing how to implement those stuff? Any thoughts, hints, tipps or links to resources highly appreciated. Cheers zx80 Link to comment Share on other sites More sharing options...
AndZyk Posted May 30, 2023 Share Posted May 30, 2023 Hello @zx80, I would go with a module for forms like the commercial FormBuilder or aformentioned FrontendForms. I have build forms in the past, but nowadays I use FormBuilder for every form, because forms can be complex to develop and maintain. Both FormBuilder and FrontendForms have protection well covered: https://processwire.com/store/form-builder/#spam-filtering-features https://github.com/juergenweb/FrontendForms#spam-protection-and-security-features For protection I am always using a honeypot and Google reCAPTCHA field with filtering by specific mail addresses or keywords, when I still get Spam. FormBuilder has an extra module for a Google reCAPTCHA field. Regards, Andreas 1 Link to comment Share on other sites More sharing options...
cwsoft Posted May 30, 2023 Author Share Posted May 30, 2023 @AndZyk: Thanks for your input. Will try first with the free FrontendForms module as I am quite new to PW and do not have a lot to deal with web dev recently (more C#, Python stuff for Windows Desktop). Hence I don‘t want yet to spend the 179€ for the pro module unless I will know for sure using PW more often in the future. cheers zx80 2 Link to comment Share on other sites More sharing options...
cwsoft Posted May 31, 2023 Author Share Posted May 31, 2023 Hi, just added a fifth option to keep Google and unwanted users out. I Just hid my entire PW booking side behind a .htaccess AuthBasic access. But will try the FrontendForm module too as it seems to already provide all the features I want to implement myself already out of the box ?. 1 Link to comment Share on other sites More sharing options...
AndZyk Posted May 31, 2023 Share Posted May 31, 2023 That is also a option. ? If you just want to exclude search engines, you could make your page hidden and exclude it in your robots.txt But if you wan to protect your page, a .htaccess protection works as well. You could try the free LoginRegister module, if you want a better looking login form integrated with PW: https://github.com/ryancramerdesign/LoginRegister There is also a commercial successor of this module: https://processwire.com/store/login-register-pro/ Regards, Andreas 1 Link to comment Share on other sites More sharing options...
flydev Posted May 31, 2023 Share Posted May 31, 2023 23 hours ago, zx80 said: but once the stuff goes live, anybody knowing the Url can try to break things Depending on your requirement, you could generate random URL. my best bet (because you ask free solutions) is to use a custom login form as I suggested yesterday, or going with @Juergen module lower/mitigate attacks: Shield NGINX @mitchellkrogza/nginx-ultimate-bad-bot-blocker You might be interested in (Pro) WireRequestBlocker / (Free) Blackhole Module: https://weekly.pw/issue/195/ for an intro, and 1 Link to comment Share on other sites More sharing options...
AndZyk Posted May 31, 2023 Share Posted May 31, 2023 On 5/30/2023 at 12:36 PM, zx80 said: but once the stuff goes live, anybody knowing the Url can try to break things One more thing if you are building your own form: You can clean every data entered in the form by sanitizing every input. ?https://processwire.com/api/ref/sanitizer/ $fullname = $sanitizer->text($input->post->fullname); // Long $fullname = $input->post->text("fullname"); // Short https://processwire.com/blog/posts/processwire-2.6.14-brings-major-enhancements-to-sanitizer-and-input-api-variables/#sanitizer-and-input-are-now-a-couple Link to comment Share on other sites More sharing options...
netcarver Posted May 31, 2023 Share Posted May 31, 2023 Wild idea, but the little maths question system I wrote for this contact form is, as far as I know, GDPR complient and is used on a site that has no cookies or sessions on the front end interface. It therefore has no CSRF protection, yet has been 100% effective (several years so far) at preventing spam submissions. There are a few things I'd change if doing a v2, but overall, it's worked very well. Reload the page a few times to get a feel for how the question system works. If you are not worried by being GDPR complient and are willing to use sessions, then writing something like this would be even easier as there are no extra anonymisation hoops to jump through. Just stash a target answer in the session and re-generate a maths question that leads to that answer on each page render. 1 Link to comment Share on other sites More sharing options...
cwsoft Posted May 31, 2023 Author Share Posted May 31, 2023 @netcarverThanks, already implemented a simple SESSION based math spam protection myself and some honeypot fields. However my client is very paranoid about DSGVO etc. He even worried about the guest Cookie (wire) set by PW by default on startup, even I tried to explain it‘s a technical required cookie set by the underlying CMS, which gets deleted automatically when the browser is closed. Link to comment Share on other sites More sharing options...
cwsoft Posted May 31, 2023 Author Share Posted May 31, 2023 10 hours ago, AndZyk said: You could try the free LoginRegister module, if you want a better looking login form integrated with PW: https://github.com/ryancramerdesign/LoginRegister Cool. Will test this option too, once I showed the demo to my client and it was decided if and how to proceed with the project. You guys are all awesome and gave me a lot of tips, hints, links and code snippets to check out. @AndyThanks for your sanitizer snippets, already using those on all input data by default. Even do whitelisting whenever appropriate in addition. 1 Link to comment Share on other sites More sharing options...
szabesz Posted May 31, 2023 Share Posted May 31, 2023 (edited) 1 hour ago, zx80 said: spam protection I also have a 100% working spam protection technique I always use (and nothing more). See it working here: https://www.szepelet.com/about-us/contact-us/ Human Detection is a pure PHP random number, rendered by :after {content: attr(data-attr);} and the css class is deliberately not named with a related term, just to make it more obscure. No bots have been smart enough to crack it so far. Edited May 31, 2023 by szabesz typos 5 2 Link to comment Share on other sites More sharing options...
netcarver Posted May 31, 2023 Share Posted May 31, 2023 @szabesz Nice. I think I prefer that to the maths Q approach as it requires less mental effort. 1 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now