Tuesday 6 June 2017

Nodemailer security concern

Recently I have been building a "Contact Us" form for a corporate website, using Firebase functions and Nodemailer. Doing so I have been thinking about the security concerns lying behind that.

First of all on my front-end I do have validation checks for all the input fields, like if an e-mail address is valid and phone number and so on, so on.

Of course I thought about the fact that those validation checks on the front-end can always be manipulated, so I have put the same ones inside my Firebase function (back-end) code as well.

Apart from that I have implemented ReCAPTCHA verification right on my back-end, so now it got even more secure.

The last thing that I have been wondering is about any kind of attacks that can be made throughout. I thought about XSS (Cross-Side-Scripting) and currently I have zero idea if it can be accomplished in the context that I am talking about. I do not verify the data in my "Subject" and "Message" fields, so if the user wants to input "bad" data, they can surely go and do that. Indeed this makes me feel not hundred percent relaxed that all the security concerns are covered.

So basically this is my question. Is there any danger right there, that some of my input fields might transport "not-secure" data and is that dangerous in the context of sending e-mail messages with Nodemailer (version > 4). Can it harm something, or it is completely secure and fine, and I should not really worry about that.



via Bilger Yahov

No comments:

Post a Comment