WAF on your domain won't stop spam if the form posts directly to a third-party API
A developer investigating form spam on a small corporate site discovered the contact form was submitting data directly to an external Backend-as-a-Service API, bypassing the site's own server entirely. Because the spam traffic never touched the site's domain, placing a Cloudflare WAF in front of that domain offered no protection against it. The anonymous API key and endpoint URL were exposed in the public JavaScript bundle, making it trivial for bots to POST spam without even loading the page. The developer recommends routing form submissions through a first-party verification endpoint so that WAF and rate-limiting rules can actually intercept the traffic. The broader lesson: before prescribing a security fix, check the browser's Network tab to confirm where form requests actually go.
This is an AI-generated summary. ShortSingh links to the original source for the complete article.
Discussion (0)
Log in to join the discussion and vote.
Log in