Web App Form Security- SendGrid

Tue May 07, 2013 5:42 pm

I am about to begin using my exported web app and had a few questions regarding preventing form spam. I am using the sendgrid plugin to send mail. Firstly, I noticed the sendgrid api key and user are exposed. Does this pose any problems?

Also, I have forms that send email to several different addresses out of my control. Should I consider some sort of captcha mechanism to prevent automated submissions? If so, any recommendations?

I do see that sendgrid has a spam app which monitors outgoing mail- I turned it on but I do not know how well it works.
http://sendgrid.com/docs/Apps/spam_ch...
}

Tue May 07, 2013 6:39 pm

[quote:]
Firstly, I noticed the sendgrid api key and user are exposed. Does this pose any problems?
[/quote]
To some degree yes. If someone really wants, they can look up your API key. This is a general mobile web problem (not specific to Appery.io created apps). If you build a native (hybrid) app then getting the API key is more difficult but still possible.

We will be adding a security feature where the API key can be kept on the server.

[quote:]
Also, I have forms that send email to several different addresses out of my control. Should I consider some sort of captcha mechanism to prevent automated submissions? If so, any recommendations?
[/quote]
That's one option, if you can find one specifically for mobile. I don't have any recommendations.

[quote:]
I do see that sendgrid has a spam app which monitors outgoing mail- I turned it on but I do not know how well it works.
http://sendgrid.com/docs/Apps/spam_ch...
[/quote]
If SendGrid offers one, I'm sure it works well.

Tue May 07, 2013 6:39 pm

Hi Sean,
I asked the same question regarding sendgrid details being visible in page source,Max told me they are working on those details being stored on the server, the only other solution I could come find was from Katya, which is a script to prevent loading on PC

Tue May 07, 2013 7:28 pm

thanks- if anyone has a good method for preventing automated form submissions I would be interested.

Thu May 23, 2013 11:44 pm

Hi- Do you have a time frame on this: "We will be adding a security feature where the API key can be kept on the server"?

I would like to create a self-hosted web app for payment processing. Fortunately I found a processor that supports CORS and has a rest api but without a way to hide keys I cannot see any payment processing happening.

I could obviously let appery host with my domain if it would be necessary for this feature to work.

Thu May 23, 2013 11:50 pm

Second half of summer. Does that work for you?

Thu May 23, 2013 11:55 pm

I can use it as soon as possible I use google checkout and they just announced the end of checkout for Nov 10. I need to have plenty of time to implement Stripe and a whole new web app (was standard web site). I hate to proceed with the project if the time frame on your end is not set or might be delayed.
https://stripe.com/docs/api#versioning

Fri May 24, 2013 12:36 am

We will definitely have it before November.