For others looking for a self-hosted alternative like Formspree I wrote something similar that deploys to AWS Lambda [0]. Nothing fancy, just a AWS Lambda endpoint that uses SES to send emails. Instead of aliasing email addresses for privacy like OP I just use the native Node.js crypto module to create a hex string of the address upfront.
I do this for a site I manage and it was remarkably easy to set up. I would recommend this for people who have familiarity with AWS, but not as a first introduction to AWS.
I was offering a cors sevice with a rest api to sql database, authentication, email signup, and captcha, tools to build everything for static sites. Zero interest for it.
These things sound great but no one really uses them in practice.
People seem to implement this sort of capability themselves a lot. So there is going to be a small marginal value to a 'canned' version, web sites are also particularly careful with emails and other PII people send them so a service approach runs the risk of the service harvesting that data and reselling it without the web site owners knowledge or approval. And finally, I expect a quick crawl of the web would turn up a zillion different 'tweaks' that individual sites make for their particular application, so it would be hard for them to use a pre-baked one.
I was thinking there might be a piece of javascript to read and write a cookie to a hidden field so you could keep a session variable for multiple page forms.
I use a relatively simple AWS API Gateway -> AWS Lambda -> AWS SES for this. But as trivial as it was to set up it is still way more work than this looks like. Having something more turn-key is nice.
I mentor and teach a lot of designers and beginning front-end developers. Services like this and FormSpree are a godsend for allowing them to create functioning contact forms on websites without having to go down the server-side rabbit hole.
Also, even though I'm fully capable of building my own form handling back-end, if I'm just building a static site it's nice not to have to deal with all that just for a simple contact form.
Have you thought about GDPR compliance? I don't understand GDPR very well, but it looks to me like your system would be, as it doesn't store emails sent. If so, GDPR-readiness might be a good feature to advertise on your homepage.
There's not really such a thing as being GDPR compliant. It's more about being ready when someone will be coming for a privacy related trial or information removal or when the infrastructure will leak data and the national privacy agents knocks on your door and asks "what did you do to prevent it ?".
Best efforts. Except for the GAFA. And public agencies (best best efforts).
Source: working in a public agency and attending a lot of GDPR intro sessions and watching the consultants walking down the corridor.
That's interesting, and echoes my understanding, but what would you do when a client says "we want to be GDPR compliant"? I'm not sure saying "there's no such thing" would really wash. Do you have any resources that might help?
It really depends on the kind of business relationship you have with your client and the field you are in. Questions such as "Are you managing data for them ?", "Who does the actual data encoding ?", "What kind of data are we managing", etc., are on the table.
I'd just say what I wrote in the previous post and talk about the DPO, the infosec manager, etc.
What I am hearing and seeing a lot right now is: hire a consulting gig for a few days that will set you up (good practices, business analysis, risks assessment, iso 27000 and 27001 compliance) and then hire a different consulting gig for two days that will be your DPO and make him come back every 6 months or year to show you are doing your best to prevent leaks.
It really does depend on the nature of your field.
The other thing I hear a lot: those UK law firms that sell GDPR consulting certificates ? Don't waste money on that.
I couldn't really recommend any consulting firm, I only know two of them and I am not involved (yet) enough in the process. But basically we (a public agency) went the consulting gig road and share the fee with other agencies.
Nice! I built something like this a while back, never brought it to market. Might think about processing inputs and generating CSVs, having a simple tablular view in a dashboard, etc. It's a "backend for forms."
It looks real good.
but I don't get the catch: is it free service ?
is there a guarantee on the time between the user posting the form and me receiving the email ?
what if your site is down ?
Excellent questions. It is free unless you want to use custom fields. The emails go into a queue which is listened for and processed when items are added. I have 3 that listeners that run simultaneously to handle email sending.
If the site goes down then the emails are lost. I'm still working on a solution of multi region load balancing with high availability to ensure this doesn't happen.
FYI, there's no guarantee of delivery, ever, where e-mails are involved. Guaranteed delivery is not one of its features. Best-effort store-and-forward, yes; for guaranteed delivery, you need a different tool.
I use Formspree [0] for GitHub Pages hosted stuff, and it is dead simple. I've never been spammed, as it requires a human click ("I'm not a robot") for the email to send.
Staticman[0] is great. Same principle where you only have to POST to an API but with user content stored in Github. There's a free hosted version and it's open source.
Back in the maelstrom that was Web 1.0, where every person and their dog were uploading static html pages to their 'webspace' via FTP, these sort of services were two-a-penny, many ISPs even offered them as part of their 'webservices' packages.
I'm not knocking it, it's just it's not a new idea.
Likewise I also have a similar service offering form endpoints. Plus I built a bootstrap-native form builder (generates a bootstrap form and inserts it with JS, not an iframe).
I'm looking for something similar: A visual form builder that I can self host for a form just a little more complex than a contact form. Does anybody know a solution that offers that?
Is it possible to deliver the messages to the email server in an encrypted way? I would not want my business communication being sent via cleartext/email.
Things like this and Formspree are great for setting up a one-off site. If you get to choose the hosting though, Netlify offers form submission handling as part of their free tier, with email/Slack notifications, API access, and data export.
Simpler for you. Far more confusing for users ("I clicked this and now my e-mail client is open, is that some sort of hack?!?"). This used to be promising, way back when HTML started; as good as dead nowadays.
This will not take a lot of time for spambots to figure out. Would it?
Are there any web-application-firewall level spambot filtering that would ensure that the bot traffic can be continually monitored and the rules to block spambots can be continually updated?
Agreed. A honeypot worked 100% for me for a long time. I had a bot start to slip through, somehow, so I added an additional layer of protection. I began checking server side for the time between initial request for the page to submit. If less than five seconds, the submission fails. Still a simple idea, but the execution is a little more complex.
I'm sure you probably tested this with your particular needs, but just in case you haven't: five seconds is a long time and there are many forms that can be filled out by humans in less than that. I stepped on my own toes once setting what I considered to be reasonable minimums until I tried to use my own site and found myself getting blocked because I was submitting requests too fast.
Thank you. Yes. Excellent point. The particular form I needed this for is moderately involved, so I erred on the longer side. I suspect a spambot wouldn't want to intentionally throttle itself, but they may introduce a one- or two-second delay if this becomes common enough. Definitely have to tailor it to the form.
I am sure that worked for you and I do not want to undermine the importance of simplicity. However my question was drawn from my previous experience where it was one hell of a task to keep the spam bots out.
Therefore, just to offer a counterpoint, I would like to register my experience here. A random name surely did not do the trick for us. Simple tricks like creating a random hidden field would be broken by spambots in less than 48 hours. It took a great deal of expensive WAFs like Barracuda and a lot of Lua scripting combined with cookie analysis (and overall request header analysis) to detect spambots with only a 90%-95% accuracy and keep them out.
[0]: https://formspree.io
[1]: https://github.com/formspree/formspree