The sales department started getting blank contact forms. Truly a life or death dilemma- how do you set up a followup pipeline for a blank form? Do you contact the nameless one via email or phone? Or maybe by midnight seance, shrouded in red robes and chanting in Latin?
So we needed to add server side checks. Easy enough usually, but for a complication with the submission process. The form is sent, and some processing happens. 2 emails are sent. This can take milliseconds, or it can take 2 seconds (or more). After testing, it seemed too slow- even with a spinner/processing animation, it detracted from the user experience.
So we did a slight cheat. Implemented a couple more client side checks (to handle submissions via legacy browser versions that don’t support the ‘required’ tag), and added some server side checks. But those server side checks are only implemented after we update the UI on the front end. So, if a regular user submits the form, they get the nice flow- if something’s wrong with a field, an error message shows, they can’t submit, they fix the problem. When they do submit a valid form, the screen immediately shows the ‘thank you’ message.
But if some nefarious entity is trying to circumvent the form, the server side checks come into play. That entity gets no nice message asking them to fix the mistakes and try again- the submission silently fails.
Are we being unfair to spammers or bots? Maybe. Will these checks fail a more sophisticated spamming attack? Certainly- we didn’t implement a captcha-type validation system, but these will prevent some spamming, so it’s a good solution for now.