Adobe Experience Manager Forms

Hi Pulkit,

Thank you for getting back soon, in my case the forms we have are customized (it is a custom component), these are not taken from the AEM forms, in this case how do we secure form submission. 

@veenakt28 

Do you mean to say that you have used OOTB site components to create custom form components and then created a form or embedded the same in a page?

If there are no AF components being used then you can reach out to AEM site experts here for more insights- https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/ct-p/adobe-experience-mana... 

If you've created custom components using OOTB AEM Forms components then please elaborate further- what is the use case? What type of form submission you're referring to?

Hi Pulkit,

The forms we have is a form container component, which consists of multiple fields (components) which can be configured within this form container, all of this is built using core components, the service pack we are using is 6.4.8
To give an eg. having configured the form container component, you will then have options to add remove the fields you need on the form like email ID, name, age, country of residence, demographic questions etc. Basically you can create the form with the fields you require for a site. This form submission data is then passed to a 3rd party system to store the data. We are also getting some of the form field data from the 3rd party integrated system. How do I implement security check/spam prevention checks on such a form.

@veenakt28 I assume the form is open to everyone, then you can play around with cookies, and check for the typical no. of form submission from a particular IP, Implement captcha, make sure you are not logging any PII in the logs, Implement SSL(preferably mutual auth for service). Obfuscate the PII on the form itself. You can have server-side scripts to validate any invalid input further. 

Hi @Pulkit_Jain_ @Mayank_Gandhi 

Thank you for the suggestions, the suggestions provided below are more leaning towards implementing a custom validation on the client/server side to secure the forms, if my requirement is to build a honeypot feature,

how do I implement a honeypot feature for AEM custom forms?

Is it possible to have a honeypot kind of implementation on AEM forms?

If yes, then how do we implement this?

If not what is the recommendation ?

Any suggestions on this, will be really helpful.

@veenakt28 Please understand that AEM forms are to capture data and the network level custom implementation to gauge any attack is not within the scope of forms but infra hardening. You should work internally with the infra team and the check scope of web development to understand the strategy that you may want to apply in the DMZ for this. Not something specific from the product side on this.