Best Practices for Securely Sending Form Submissions via Email in a Web Application
Hi everyone,
I'm a junior developer working on a website, and I need some advice on the best way to email a business owner when a user fills out a contact form and clicks submit.
I initially looked into EmailJS, but I wasn't comfortable with it as it exposes API keys. Now, I'm considering using Nodemailer.
Could you please provide some guidance or recommendations on:
1. How to securely set up Nodemailer to handle form submissions.
2. Any best practices for protecting API keys and other sensitive information in this context.
3. If there are any other reliable alternatives to Nodemailer that you would recommend.
26 Replies
I've never done this on the backend so maybe my insight isn't too useful but I've used Sendgrid before (just connecting it to a prebuilt form solution) and it's nice. I found this article for setting it up in Express, but not sure what libraries you're using: https://www.twilio.com/en-us/blog/build-contact-form-node-js-sendgrid
Never used Nodemailer though so can't give much help with that.
how about you ... don't?
instead, save the message in the backend
implement some notification system or something, where you see all messages sent to you, and then you can reply directly from there
and you continue the communication in your email, or a ticket system or something
I have spent all of my time studying html CSS JavaScript basics and DOM manipulation. This is one of the last few steps for my first site. I have had so many epiphanies tackling this issue. The back end of web development is completely new to me so I'm somewhat lost from the start but I'm so thankful I have spent my time studying the basic functionality of JavaScript because it has made opening new doors a lot easier.
and trust me in this: you DON'T want to deal with emails at this point
rendering emails is a huge pita
reducing spam is a huge pita as well
you can't prevent spam: just reduce
and if you don't do it well, you either hit a limit and legitimate people can't send emails, or you have to pay or you will be added to a blacklist
trust me
I'm thinking of creating a dashboard that pulls the data from the database and the owner can then view and decide whether or not to respond to the submission form their own email
if you implement a way to send from the backend, that will be even better, for 1 reason: the client won't have to copy-paste and lose all the context
I agree, probably a better UX experience for the client as well .
exactly
I'm planning on using mongo.db for the database and using vercel serverless functions for the back end. Am I on the right track?
depends on your needs
for the emails, mongodb is a good idea
My only needs are to store the form submission in the database then display them in the dashboard and give the client the option to respond from there. I plan on deploying with vercel (for no specific reason).
mongodb is ok enough for that
I want to integrate a notification system for the dashboard but that is less important haha
My mind immediately went to postgres for database maybe just because I hear of it so often on the tutorials I watch but from my understanding mongo.db is a quicker development. With mongo.db being so popular I figured it would be good to dive into.
mongodb is, basically, a glorified json file folder
in my opinion
but, you don't have any relationships, so, a relational database will be overkill for that functionality
but if you want to handle users and stuff, having postgres, mysql/mariadb or even sqlite is a better choice
(users for logins, that is)
Yeah I don't see any chance of having to handle users with this in the future.
so, the backend will be open? or will you hard-code the information?
Although the client should be the only user for the dashboard I think it would be better to have an open back end and use JWT for authorization and authentication.
I believe it would be a better UX and more flexibility for the client to have control over passwords.
Does this offer better security since the password will be hashed in the database?
Does this offer better security since the password will be hashed in the database?
the password MUST be properly hashed anyways, JWT or not
and i mean MUST
i don't use JWT and i hash all passwords
So would hard coding the information mean storing login credentials in a serverless function?
it means that the user info is in the code
where it runs doesn't matter
Oh okay instead of the database
to change anything, you need to change the code itself
yes, which is bad, in my opinion
when i code a backend, i use usernames, which have an email associated, and a password that's hashed as best as the server can handle
no jwt, no oauth2
while it is a very good security thingy, it's lots of friction for some people
also, would require that i login with facebook or something at work, where i am not allowed to use any social networks or my personal accounts
i would have to create a new google account, which needs a phone number, and i dont have a phone number for it
Would this be considered session based authentication?
yeah
but almost everything is
jwt is a session anyways
it's not just a simple id, but ...
in essensce, works kinda the same
oauth2 is the same
you need to create a session for the user anyways
whatever data oauth2 returns will be the session token
i know that, pedantically speaking, oauth2 and jwt aren't session authentication, but it's still going to need a session anyways
Any recommendation on using vanilla node.js or serverless functions to manage database? Seems serverless is easier to set-up but I have read stories about people getting crazy bills. node.js looks a little more complicated but I could see this being great for experience and I love the idea of full control, not sure if this is over kill for my project..
yes, i recommend you to start a new thread