APIs Form APIs Security & Access Control

Security & Access Control

Unfortunately, when you're building web forms, it isn't possible to have a secret password or code hidden from spammers; since Forms need to be processed and sent from the web browser, and browsers work off code and scripts that download and run on the client-side, making a public form unfortunately means having to deal with bad actors, like spammers.

How does Form/Comment Spam work?

We're all familiar with spam to our inboxes, but there's also a lot of spam energy that goes into filling in online forms automatically. Spammers have "spiders" or robots that follow links all over the web and look inside the source code of web pages to find <form> tags. They then automatically try and submit forms pretending to be a real user, filling the "text" and especially the "textarea" fields with their crappy spam payloads (often with offers to enhance male anatomy).

While exceptionally annoying to us, the reason they do it is less about jamming junk advertisements for enhancing junk into your database, and more because many websites have forms that publish comment on web pages. Spammers are really trying to be seen by future users visiting a web page, so they'll see the spam ads and links too. In the worst cases, poorly built websites will actually turn spam text into hyperlinks, giving legitimacy and SEO juice to the spammer's website.

Unfortunately, spammers don't care whether their spam form submissions get them anywhere on your site, since their cost of pissing you off is so low they just do it anyway - it is largely automated.

Thus, only real solution if you're going to have forms on your website is to have a way to separate real people from spam "bots". Thankfully, there's a great way to do this with reCAPTCHA.

reCAPTCHA

reCAPTCHA is a service provided for free by Google to help separate legitimate users from spammers or "bots" working on their behalf. Originally started as an ingenious project to help augment OCR in digitizing books, reCAPTCHA now works with many signals and often doesn't require users to do anything. As a user, you just tick a checkbox, and a bunch of code runs in the background to guess whether you're really a real user. If the code thinks you're a real user, you get a tick in the box and can continue.

If, when you tick the box, Google's servers have reason to suspect you might be a bot (which comes up a bit when you're testing, since seeing the same browser a lot over and over again is a red flag), it now uses lots of different types of images and asks users to do simple things (eg, "Select all the photos that have a Billboard in them") to confirm you're not a spammer. Those days of the impossible to read smudged text a thankfully a thing of the past.

When the user has passed the CAPTCHA and submits the form, Google provides a secret, short-lived fingerprint, and when we process the Form on our API we connect to Google and ask them to verify the fingerprint we got from the Form matches one they just handed out to that end user IP address.

If Google gives us the green light, we process the form immediately, and if it doesn't check out (or if you haven't included reCAPTCHA but you set your Accelo access rules to require it), we ask the user to complete another reCAPTCHA on our servers (repeating until they get it right) before processing the Form.

Registering for your own reCAPTCHA Keys

While the previous version of our Forms API supported v1 of reCAPTCHA and a single, shared key for anyone to use when sending a form to Accelo, the new v2 version doesn't work that way.

Now, you need to register for your own key, tell Google the domains where you'll be using it (your website addresses) and they'll give you your own key.

Step 1: Go to www.google.com/recaptcha/admin

From here, you'll be able to see any Sites you already have (and if you already have a key for the site you are going to put your Accelo Form onto, then you can use that!).

If you need to create a new key, fill in the form in the bottom of the page. The "domains" should include a list of the domains where you will be putting your form. This will be things like mycompany.com - you do not need to include your Accelo domain.

ReCAPTCHA Site Screen

Entering your Key

When you've registered, you'll be able to see your keys - the one on the left is the "Site key" which you use in your forms, and the one on the right is the one you use in your Accelo Configuration area.

reCAPTCHA Keys

For details in how to use the Site key for reCAPTCHA in your forms, view the source of our Form Examples page.

When you are ready to start testing, you'll want to add the Secret Key into your Accelo Configuration screens. An example of where you can add it is https://yourdomain.accelo.com/?action=admin_navigation&target=company_general.

Saving your Private Key

 

Living Dangerously - JavaScript/AJAX submitting

If you really don't want people filling in your forms to have to submit a reCAPTCHA (even the now simple blue tick-box option of v2), you can do something that will keep the vast majority of spammers off the scent: you can submit the form information via Javascript/AJAX.

To see how this works and get code you can use in your pages, check out the JavaScript/AJAX examples in the source code at the bottom of our live Examples page.

In our experience, as long as you don't have an "action" value in the <form> tag the spammers will leave you alone; while the JavaScript that shows how to spam you is in plain sight, it is too much effort for the lazy spammers and their spam bots to work out what's going on, so you can operate with the Forms API Access as "Open" and submit forms via JavaScript without getting inundated.

Obviously, if a spammer decides to target you you're going to get inundated (and we're not able to help clean up the mess unfortunately). If this happens you'll probably want to fall back to "Challenge" or reCAPTCHA access or dedicate some time to housekeeping in your Accelo account on an ongoing basis.

Server to Server Asserted Authentication

When using the Forms API from a system of your own (or using Zapier and HTTP POST) you might want to retain the reCAPTCHA protection for public submissions but since you're using a trusted submission point you don't want to try to handle authentication. 

The good news is that you can actually pass in a string which asserts that your POST is authenticated using the key value.

This method works by passing in a "key" parameter with your Form/HTTP POST submission. The value of this key needs to be the SHA-256 hash of the reCAPTCHA Secret Key. 

Assuming your reCAPTCHA Secret Key is IOr6e6UIOLDDVChHo4kyp5aXbqVprjvSwKgIzHCs, then you can use a service like FreeFormatter (https://www.freeformatter.com/message-digest.html) and the SHA-256 encoded key is 8cf92ed9e4c252e93b86a0844a4d2d9f57405dcd966c557fbdfcfb67e8933dcb.

 

Accelo uses cookies to give you the best possible experience - by clicking 'Continue' you agree to our use of cookies. Refer to our Privacy Policy for details. Continue