How to prevent site visitors to unwanted directly execute server connect API

Hi, I have a contact form on the public site. On submit the server connect form triggers the server connect api. This api stores the form POST data in a database, and after saving sends out two emails. For some time now, people looked up the form post target, and copied and pasted this path to the server connect API directly in the browser. It then triggers the API and an empty save in the database and an empty mail.

I start the server connect API with a condition to check if a field post data is not empty , if not, continue with save to database and send out the mail. But somehow this condition is overruled or something? Here is the condition code and my question is how to prevent direct executing the api?
Condition CODE:
$_POST.con_bericht!='\'\''

Hello

What about using reCAPTCHA?
I don’t know if they have really change the limit:
https://cloud.google.com/recaptcha-enterprise/quotas

Alright, I have a recaptha (V2) on client side, but not int the SC api. I just added it and configured it with the secret key . Save plus uploaded it. Now the form will not submit, because recaptcha check failed. But I got a green check on client side before submitting. So the server side recaptcha validation does not get that information. Are there additional steps to make in the SC api?

It’s a node project?

I’ts the recaptcha inside the form?

@ben had a video I watched this year that addressed this issue by inserting hidden fields in the form that had to be validated by the server connect. It was a two-field punch to address two ways to secure a form from being submitted by bots.

Let me look around and see if I can find it really fast.

Found it, look at this and see if this helps you out.

You might need to modify it slightly to work with your situation though.

Remove the condition, you can set validation directly in the $_POST variables, click them and you’ll see Validation options

Sorry I’m not at the computer, so I can’t give a screenshot

Also the condition is wrong, you need to remove the \’ things

Maybe I’m wrong, but that would help on the client side preventing bots to correctyl fill the form.
But someone (a human) can copy the post request so the url is sended to sc with the included hidden field values…

I hate reCaptcha’s. It is Googles way of keeping track of visitors to your site so that they can make even more money out of unsuspecting users.

Having said that, have a look at the following video:

Thanks all for the suggestions ! I will check the videos and options. Will let you know what came out of it.

Okay, I skipped the server side recaptha check, could not make it to work. Also: I share your thoughts about this @ben!
But changing the condition (thanx @Apple) to the right format made my original plan work.
Both video suggestion (@Scott and @ben) were very interesting and I will use those validations and honeypot features for certain in my next registration and other important forms. Thanks for that.

If you want to make sure your server action is protected, you need both - recaptcha on the page and on the server side. Otherwise it protects nothing. You can’t use recaptcha on the page only - it needs to be added to the server action as well.

I understand. Inside the form I have the recaptcha with the site key. It is a server connect form. In the SC api the first step in execute is the recaptcha validate with the secret key. (I use recaptcha version 2).
But in al my tests I got a validation error from SC. I looked up documentation, but cannot find other needed configurations. What can the matter be?

Can you show some code or screenshots on how is the structure on server connect and form?
Also, are you using App Connect V2? All files updated and uploaded?

No, I am still using app connect v1. Not updated last 4 months I guess. This is the structure:

contact011103×1217 201 KB

contact021349×1190 62.2 KB

I reported a bug some time ago, about using recaptcha and stable app connect v1:

Maybe you can test it on AC2…
Remember backup!