Best Practices for Securely Sending Form Submissions via Email in a Web Application

Hi everyone, I'm a junior developer working on a website, and I need some advice on the best way to email a business owner when a user fills out a contact form and clicks submit. I initially looked into EmailJS, but I wasn't comfortable with it as it exposes API keys. Now, I'm considering using Nodemailer. Could you please provide some guidance or recommendations on: 1. How to securely set up Nodemailer to handle form submissions. 2. Any best practices for protecting API keys and other sensitive information in this context. 3. If there are any other reliable alternatives to Nodemailer that you would recommend.
26 Replies
vince
vince7mo ago
I've never done this on the backend so maybe my insight isn't too useful but I've used Sendgrid before (just connecting it to a prebuilt form solution) and it's nice. I found this article for setting it up in Express, but not sure what libraries you're using: https://www.twilio.com/en-us/blog/build-contact-form-node-js-sendgrid Never used Nodemailer though so can't give much help with that.
ἔρως
ἔρως7mo ago
how about you ... don't? instead, save the message in the backend implement some notification system or something, where you see all messages sent to you, and then you can reply directly from there and you continue the communication in your email, or a ticket system or something
Jordanq
JordanqOP7mo ago
I have spent all of my time studying html CSS JavaScript basics and DOM manipulation. This is one of the last few steps for my first site. I have had so many epiphanies tackling this issue. The back end of web development is completely new to me so I'm somewhat lost from the start but I'm so thankful I have spent my time studying the basic functionality of JavaScript because it has made opening new doors a lot easier.
ἔρως
ἔρως7mo ago
and trust me in this: you DON'T want to deal with emails at this point rendering emails is a huge pita reducing spam is a huge pita as well you can't prevent spam: just reduce and if you don't do it well, you either hit a limit and legitimate people can't send emails, or you have to pay or you will be added to a blacklist trust me
Jordanq
JordanqOP7mo ago
I'm thinking of creating a dashboard that pulls the data from the database and the owner can then view and decide whether or not to respond to the submission form their own email
ἔρως
ἔρως7mo ago
if you implement a way to send from the backend, that will be even better, for 1 reason: the client won't have to copy-paste and lose all the context
Jordanq
JordanqOP7mo ago
I agree, probably a better UX experience for the client as well .
ἔρως
ἔρως7mo ago
exactly
Jordanq
JordanqOP7mo ago
I'm planning on using mongo.db for the database and using vercel serverless functions for the back end. Am I on the right track?
ἔρως
ἔρως7mo ago
depends on your needs for the emails, mongodb is a good idea
Jordanq
JordanqOP7mo ago
My only needs are to store the form submission in the database then display them in the dashboard and give the client the option to respond from there. I plan on deploying with vercel (for no specific reason).
ἔρως
ἔρως7mo ago
mongodb is ok enough for that
Jordanq
JordanqOP7mo ago
I want to integrate a notification system for the dashboard but that is less important haha My mind immediately went to postgres for database maybe just because I hear of it so often on the tutorials I watch but from my understanding mongo.db is a quicker development. With mongo.db being so popular I figured it would be good to dive into.
ἔρως
ἔρως7mo ago
mongodb is, basically, a glorified json file folder in my opinion but, you don't have any relationships, so, a relational database will be overkill for that functionality but if you want to handle users and stuff, having postgres, mysql/mariadb or even sqlite is a better choice (users for logins, that is)
Jordanq
JordanqOP7mo ago
Yeah I don't see any chance of having to handle users with this in the future.
ἔρως
ἔρως7mo ago
so, the backend will be open? or will you hard-code the information?
Jordanq
JordanqOP7mo ago
Although the client should be the only user for the dashboard I think it would be better to have an open back end and use JWT for authorization and authentication. I believe it would be a better UX and more flexibility for the client to have control over passwords.
Does this offer better security since the password will be hashed in the database?
ἔρως
ἔρως7mo ago
the password MUST be properly hashed anyways, JWT or not and i mean MUST i don't use JWT and i hash all passwords
Jordanq
JordanqOP7mo ago
So would hard coding the information mean storing login credentials in a serverless function?
ἔρως
ἔρως7mo ago
it means that the user info is in the code where it runs doesn't matter
Jordanq
JordanqOP7mo ago
Oh okay instead of the database
ἔρως
ἔρως7mo ago
to change anything, you need to change the code itself yes, which is bad, in my opinion when i code a backend, i use usernames, which have an email associated, and a password that's hashed as best as the server can handle no jwt, no oauth2 while it is a very good security thingy, it's lots of friction for some people also, would require that i login with facebook or something at work, where i am not allowed to use any social networks or my personal accounts i would have to create a new google account, which needs a phone number, and i dont have a phone number for it
Jordanq
JordanqOP7mo ago
Would this be considered session based authentication?
ἔρως
ἔρως7mo ago
yeah but almost everything is jwt is a session anyways it's not just a simple id, but ... in essensce, works kinda the same oauth2 is the same you need to create a session for the user anyways whatever data oauth2 returns will be the session token i know that, pedantically speaking, oauth2 and jwt aren't session authentication, but it's still going to need a session anyways
Jordanq
JordanqOP7mo ago
Any recommendation on using vanilla node.js or serverless functions to manage database? Seems serverless is easier to set-up but I have read stories about people getting crazy bills. node.js looks a little more complicated but I could see this being great for experience and I love the idea of full control, not sure if this is over kill for my project..
ἔρως
ἔρως7mo ago
yes, i recommend you to start a new thread
Want results from more Discord servers?
Add your server