Hi,
I would like to know if there are security concerns with using Webapp to ingest POST data from a client “contact me” form (code below).
I know that meteor methods and publications have input validation requirements and that one can also implement ddp-rate-limiters.
Is there anything else that can be done ito security within the Meteor app itself?
import { WebApp } from "meteor/webapp";
import bodyParser from "body-parser";
import {check} from 'meteor/check';
import {contactMeEmail} from './email';
const {FQDN} = Meteor.settings.private;
WebApp.connectHandlers.use(bodyParser.urlencoded({ extended: true }));
WebApp.connectHandlers.use((req, res, next) => {
if (req.url.startsWith("/api/new-contact")) {
const {body} = req;
const {name, email, message} = body
// Not sure if these checks are useful
check(name, String);
check(email, String);
check(message, String);
const subject = `Contact request: ${name ? name : email}`;
contactMeEmail(email, subject, message ? message : 'Please contact me');
res.writeHead(307, {Location: `http://${FQDN}/thank-you.html`});
res.statusCode = 200;
res.end();
} else {
next();
}
});