1

I am working on a static site generated with hugo and want to embed an email form without using external (commercial or possibly untrustworthy) services like formspree.io (too much of a headache in european union with all the regulations).

For that purpose I built an API that I can post data to - after validating it, an email will be sent via sendmail. The API is built with flask (python).

How do I secure my endpoint against spammers, robots and other bad actors?

I did some research and read about flask-limiter but I don't think this is enough.

Others suggest including a CSRF token but I don't know how to "generate" and include it into my static site.

Another thing I thought would probably help is Google reCaptcha but I don't know how to use it in a static site.

Any ideas / suggestions on how to proceed?

Thank you in advance.

mgrey_77
  • 11
  • 1
  • It's not an entirely static site. You are running a Flask app! That's where you should put reCaptcha. – Michael Hampton Apr 30 '19 at 00:23
  • Basically it is - the service with the API is an extra app that is not connected to the site. All I have is a form that POSTs the data to the flask API's url. – mgrey_77 Apr 30 '19 at 10:22
  • It's also irrelevant how little or how much of the site is static pages. Your question is about securing the API endpoint! – Michael Hampton Apr 30 '19 at 16:02
  • Thank you for answering. I know that somehow the recaptcha challenge has to be validated at my endpoint in the flask app. But before that I have to embed the recaptcha in the form so a user can solve it I think. Nevertheless this is just one idea I had about the security issue here and I'd welcome any ideas and comments from people who know that stuff better than me (e.g. "don't use recaptcha because foo is better", "recaptcha alone won't help you against foo-whatever"). – mgrey_77 Apr 30 '19 at 22:50

0 Answers0