Security: No form spam protection (honeypot, captcha, or turnstile) #119

Closed
opened 2026-05-17 21:23:40 -05:00 by null · 0 comments
Owner

Problem

The Contact and Support forms have no spam protection beyond server-side rate limiting (5 req/min). There is no:

  • Honeypot field (hidden field that bots fill)
  • CAPTCHA (Google reCAPTCHA, hCaptcha)
  • Cloudflare Turnstile
  • Client-side bot detection

A rate limit of 5 requests per minute still allows ~7,200 spam submissions per day per IP. Bots can rotate IPs.

Fix

Add at minimum a honeypot field to both forms:

  • Add a hidden input field (e.g. name=company_website) with CSS display:none
  • If the field is filled, silently reject the submission (return success but dont save)
  • This is zero-impact on UX and catches most basic bots

For stronger protection, consider Cloudflare Turnstile (free, privacy-friendly).

Files

  • src/pages/Contact.jsx — add honeypot field
  • src/pages/Support.jsx — add honeypot field
  • server/index.js — check honeypot field in /api/leads and /api/support

Severity

Medium — spam submissions will fill the database and potentially Zoho CRM

## Problem The Contact and Support forms have no spam protection beyond server-side rate limiting (5 req/min). There is no: - Honeypot field (hidden field that bots fill) - CAPTCHA (Google reCAPTCHA, hCaptcha) - Cloudflare Turnstile - Client-side bot detection A rate limit of 5 requests per minute still allows ~7,200 spam submissions per day per IP. Bots can rotate IPs. ## Fix Add at minimum a honeypot field to both forms: - Add a hidden input field (e.g. name=company_website) with CSS display:none - If the field is filled, silently reject the submission (return success but dont save) - This is zero-impact on UX and catches most basic bots For stronger protection, consider Cloudflare Turnstile (free, privacy-friendly). ## Files - src/pages/Contact.jsx — add honeypot field - src/pages/Support.jsx — add honeypot field - server/index.js — check honeypot field in /api/leads and /api/support ## Severity Medium — spam submissions will fill the database and potentially Zoho CRM
null closed this issue 2026-05-17 21:52:13 -05:00
Sign in to join this conversation.
No Milestone
No project
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: null/Queue-North-Website#119
No description provided.