Security: No form spam protection (honeypot, captcha, or turnstile) #119
Labels
No Label
P0 Critical
P1 High
P2 Medium
P3 Low
accessibility
backend
bug
content
data-integrity
enhancement
frontend
infra
integration
owner
owner-input
performance
performance
phase-7
phase-8
security
seo
ui
ux
No Milestone
No project
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: null/Queue-North-Website#119
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Problem
The Contact and Support forms have no spam protection beyond server-side rate limiting (5 req/min). There is no:
A rate limit of 5 requests per minute still allows ~7,200 spam submissions per day per IP. Bots can rotate IPs.
Fix
Add at minimum a honeypot field to both forms:
For stronger protection, consider Cloudflare Turnstile (free, privacy-friendly).
Files
Severity
Medium — spam submissions will fill the database and potentially Zoho CRM