Hi,
From a few days now, I am trying to understand how honeypot can be implemented on AEM forms. We have a requirement to implement honeypot feature on AEM forms, but I could not find any documentation around this in the experience league. Given the volume of the sites and forms being one of the widely used component on the sites, we do not want to take the re-captcha route rather have something like honeypot implemented to make user experience better. What is the best way to bring up security/spam prevention checks on AEM forms.
Solved! Go to Solution.
Views
Replies
Total Likes
In addition to the security hardening guide shared earlier and steps shared by Mayank, you can enable protection against Cross-Site Scripting (XSS) on the page/form by following this security guide[0].
All these steps will ensure protection against any vulnerabilities when the form is integrated with a 3rd party system for inbound or outbound communication.
Probably AEM Form is not tested with the honeypot technique thus there is no official documentation for the same but there are multiple other ways to secure AEM Forms on the OSGi server, more details[0].
You can reach out to us via a support ticket in case you find any security prevention checks missing in the official document.
Hi Pulkit,
Thank you for getting back soon, in my case the forms we have are customized (it is a custom component), these are not taken from the AEM forms, in this case how do we secure form submission.
Do you mean to say that you have used OOTB site components to create custom form components and then created a form or embedded the same in a page?
If there are no AF components being used then you can reach out to AEM site experts here for more insights- https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/ct-p/adobe-experience-mana...
If you've created custom components using OOTB AEM Forms components then please elaborate further- what is the use case? What type of form submission you're referring to?
Hi Pulkit,
The forms we have is a form container component, which consists of multiple fields (components) which can be configured within this form container, all of this is built using core components, the service pack we are using is 6.4.8
To give an eg. having configured the form container component, you will then have options to add remove the fields you need on the form like email ID, name, age, country of residence, demographic questions etc. Basically you can create the form with the fields you require for a site. This form submission data is then passed to a 3rd party system to store the data. We are also getting some of the form field data from the 3rd party integrated system. How do I implement security check/spam prevention checks on such a form.
@veenakt28 I assume the form is open to everyone, then you can play around with cookies, and check for the typical no. of form submission from a particular IP, Implement captcha, make sure you are not logging any PII in the logs, Implement SSL(preferably mutual auth for service). Obfuscate the PII on the form itself. You can have server-side scripts to validate any invalid input further.
In addition to the security hardening guide shared earlier and steps shared by Mayank, you can enable protection against Cross-Site Scripting (XSS) on the page/form by following this security guide[0].
All these steps will ensure protection against any vulnerabilities when the form is integrated with a 3rd party system for inbound or outbound communication.
Hi @Pulkit_Jain_ @Mayank_Gandhi
Thank you for the suggestions, the suggestions provided below are more leaning towards implementing a custom validation on the client/server side to secure the forms, if my requirement is to build a honeypot feature,
how do I implement a honeypot feature for AEM custom forms?
Is it possible to have a honeypot kind of implementation on AEM forms?
If yes, then how do we implement this?
If not what is the recommendation ?
Any suggestions on this, will be really helpful.
@veenakt28 Please understand that AEM forms are to capture data and the network level custom implementation to gauge any attack is not within the scope of forms but infra hardening. You should work internally with the infra team and the check scope of web development to understand the strategy that you may want to apply in the DMZ for this. Not something specific from the product side on this.
Views
Replies
Total Likes