SShortSingh.
Back to feed

WAF on your domain won't stop spam if the form posts directly to a third-party API

0
·3 views

A developer investigating form spam on a small corporate site discovered the contact form was submitting data directly to an external Backend-as-a-Service API, bypassing the site's own server entirely. Because the spam traffic never touched the site's domain, placing a Cloudflare WAF in front of that domain offered no protection against it. The anonymous API key and endpoint URL were exposed in the public JavaScript bundle, making it trivial for bots to POST spam without even loading the page. The developer recommends routing form submissions through a first-party verification endpoint so that WAF and rate-limiting rules can actually intercept the traffic. The broader lesson: before prescribing a security fix, check the browser's Network tab to confirm where form requests actually go.

Read the full story at DEV Community

This is an AI-generated summary. ShortSingh links to the original source for the complete article.

Discussion (0)

Log in to join the discussion and vote.

Log in

Related stories

0
ProgrammingDEV Community ·

Framing CV Around Business Impact, Not Tech Stack, Draws Recruiter Attention

A software developer found that rewriting his CV to emphasize business outcomes rather than technical tools significantly improved recruiter engagement. Instead of listing programming languages and frameworks alone, he added context such as email volumes processed, restaurants served daily, and revenue improvements achieved. He retained technical details so hiring managers could assess his depth, but positioned them as supporting evidence rather than the main focus. The revised CV was compelling enough for a recruiter to forward it to Tata Consultancy Services for a role. His key takeaway is that communicating the value of existing skills to a non-technical audience can matter more than acquiring new ones.

0
ProgrammingDEV Community ·

Developer builds 1,000+ free browser-based tools to escape ad-heavy online utilities

A developer frustrated with ad-cluttered, paywalled online utilities has built a collection of over 1,052 free tools available at webtools-cn.github.io. The project covers categories including text processing, image editing, security hashing, PDF handling, and finance calculators, totaling more than 2,130 bilingual pages in English and Chinese. Every tool runs entirely client-side using vanilla HTML, CSS, and JavaScript — requiring no server, no user accounts, and no file uploads. The site is hosted for free on GitHub Pages and works offline once loaded, with zero recurring infrastructure costs. What began as a weekend side project evolved into a structured, SEO-optimized toolbox featuring Schema.org structured data and an auto-generated sitemap.

0
ProgrammingDEV Community ·

Developer Builds AI Tool Using Gemini API to Help Coders Manage Burnout

A beginner developer has created DEV Passion Fuel Station, a minimalist single-page HTML5 web app designed to help developers manage burnout during side projects and hackathons. The tool allows users to vent frustrations or paste problematic code into the interface, which then uses Google's Gemini 1.5 Flash API to analyze sentiment and burnout signals. Based on that analysis, the app returns small, actionable tasks to help developers maintain momentum without feeling overwhelmed. Built as a single file and hosted on Netlify, the app lets users input their own Google AI Studio key directly in the UI to keep credentials private. The project was submitted to the DEV Community Weekend Challenge under the Best Use of Google AI prize category.

0
ProgrammingDEV Community ·

Developer Builds Python Toolkit to Automate App Store Metadata and Release Workflow

A developer managing a portfolio of ten apps built an open-source Python toolkit called app-store-release-agent to automate the App Store release pipeline. The tool addresses the challenge that maintaining multiple apps does not scale linearly, with tasks like metadata updates, keyword tuning, and review management piling up over time. The repository includes three scripts that connect to App Store Connect, pull localized metadata into a local folder, and patch or submit versions for review. All scripts default to dry-run mode, allowing users to preview changes before applying them to live listings. The developer's goal is to eventually expand the toolkit into a full App Store Optimization system capable of identifying what needs attention, what can wait, and what action offers the highest leverage.