It started off with a simple enough request:
“Just saw a couple of you have added your email address to your profile page or portfolio site. Bots trawl sites looking for email addresses to spam so it’s not a good idea…”
A reasonable enough request from Crispin, course leader of the boot-camp. One tinged with data security paranoia perhaps, but at least this one is easily understandable and believable. He then went on to suggest pointing users to a contact form either on this very blog, or to a social network as a means of communication.
The security cogs begin to turn…
Wanting to keep this blog purely, um, bloggy, I decided that the form was to go on my profile site. Easy enough to do too (yes it needs a button):
<form action="/my-handling-form-page" method="post">
<input type="text" id="name" name="user_name" />
<input type="email" id="mail" name="user_email" />
<textarea id="msg" name="user_message">
Now while I don’t fully understand the entire server-side process for handling these GET/POST requests, amongst all the other methods of data submission utilising server-side technologies, I did suspect that simply having a pure HTML form was not going to really assist in the security stakes.
I came across the following two articles, and I’m sure there are more:
The key take-away knowledge from this brief bit of research:
- Be paranoid;
- Robots will hit your site, possibly more than people; see point 1 for their intentions;
- SSL is essential;
- I don’t know or understand enough about data/web security yet.
In any case, I just found a third party, with good reviews, who provide an embedded form for my website. Until I have the skills and/or knowledge to do better myself, it will have to do.
As just a web user, it’s easy to manage your own web security, however as an architect of it, there is a lot more responsibility. My eyes are opened, and there is yet more that I didn’t know I didn’t know.