Hacker News new | comments | ask | show | jobs | submit login
Show HN: Jumprock.co – HTML Forms for Static Sites (jumprock.co)
161 points by therov 10 months ago | hide | past | web | favorite | 68 comments

Seems similar to Formspree[0], which one can self-host[1], but lacks the aliasing feature of your solution. Looks very cool!

[0]: https://formspree.io

[1]: https://github.com/formspree/formspree

For others looking for a self-hosted alternative like Formspree I wrote something similar that deploys to AWS Lambda [0]. Nothing fancy, just a AWS Lambda endpoint that uses SES to send emails. Instead of aliasing email addresses for privacy like OP I just use the native Node.js crypto module to create a hex string of the address upfront.

[0] https://github.com/danielireson/formplug-serverless

I do this for a site I manage and it was remarkably easy to set up. I would recommend this for people who have familiarity with AWS, but not as a first introduction to AWS.

Why do these apps keep getting upvoted and created? Formspree has been around a long time, I don't understand it :P

I was offering a cors sevice with a rest api to sql database, authentication, email signup, and captcha, tools to build everything for static sites. Zero interest for it.

These things sound great but no one really uses them in practice.

Could be the wrong take away.

People seem to implement this sort of capability themselves a lot. So there is going to be a small marginal value to a 'canned' version, web sites are also particularly careful with emails and other PII people send them so a service approach runs the risk of the service harvesting that data and reselling it without the web site owners knowledge or approval. And finally, I expect a quick crawl of the web would turn up a zillion different 'tweaks' that individual sites make for their particular application, so it would be hard for them to use a pre-baked one.

Hey all,

I am the creator of https://Jumprock.co. This is a rebrand from an earlier project I did called Formpost.

It includes aliased names to not expose email addresses and custom fields now.

I was thinking there might be a piece of javascript to read and write a cookie to a hidden field so you could keep a session variable for multiple page forms.

I like that idea. Something to add to the list of new features.

Why did you rebrand and lose any inbound links you may have accumulated?

Any plans to charge for it? What will you do about server load if it got popular or is this not an issue?

Currently you can get custom fields for 14.99 per year. Server load isn't really an issue.

Suggestion: use input type=hidden instead of display:none on the honeypot

Cool. You should consider using input type="tel" for capturing phone numbers - https://developer.mozilla.org/en-US/docs/Web/HTML/Element/in...

On a mobile device, it will automatically pop up the number-pad. Makes life a little easier for people filling in the form.

Similarly, input type="email" will pop up a keyboard with an @ symbol. https://developer.mozilla.org/en-US/docs/Web/HTML/Element/in...

very good, and also may provide smarter autofill

Very cool. Good job.

I use a relatively simple AWS API Gateway -> AWS Lambda -> AWS SES for this. But as trivial as it was to set up it is still way more work than this looks like. Having something more turn-key is nice.

Each generation invents their own tools. The cycle has reached FrontPage Server Side Includes. Soon the new PHP will emerge.

I mentor and teach a lot of designers and beginning front-end developers. Services like this and FormSpree are a godsend for allowing them to create functioning contact forms on websites without having to go down the server-side rabbit hole.

Also, even though I'm fully capable of building my own form handling back-end, if I'm just building a static site it's nice not to have to deal with all that just for a simple contact form.

Um no.

This is for when you don’t have a server.

It will probably be something that compiles to javascript made with babel.

New tools solve problems, but create some new (hopefully smaller) problems, which opens the possibilities for new solutions.

Also you can use Google Apps Mail to send emails from a static site and save the field values to a spreadsheet at once for free: https://github.com/dwyl/html-form-send-email-via-google-scri...

Have you thought about GDPR compliance? I don't understand GDPR very well, but it looks to me like your system would be, as it doesn't store emails sent. If so, GDPR-readiness might be a good feature to advertise on your homepage.

There's not really such a thing as being GDPR compliant. It's more about being ready when someone will be coming for a privacy related trial or information removal or when the infrastructure will leak data and the national privacy agents knocks on your door and asks "what did you do to prevent it ?".

Best efforts. Except for the GAFA. And public agencies (best best efforts).

Source: working in a public agency and attending a lot of GDPR intro sessions and watching the consultants walking down the corridor.

That's interesting, and echoes my understanding, but what would you do when a client says "we want to be GDPR compliant"? I'm not sure saying "there's no such thing" would really wash. Do you have any resources that might help?

It really depends on the kind of business relationship you have with your client and the field you are in. Questions such as "Are you managing data for them ?", "Who does the actual data encoding ?", "What kind of data are we managing", etc., are on the table.

I'd just say what I wrote in the previous post and talk about the DPO, the infosec manager, etc.

What I am hearing and seeing a lot right now is: hire a consulting gig for a few days that will set you up (good practices, business analysis, risks assessment, iso 27000 and 27001 compliance) and then hire a different consulting gig for two days that will be your DPO and make him come back every 6 months or year to show you are doing your best to prevent leaks.

It really does depend on the nature of your field.

The other thing I hear a lot: those UK law firms that sell GDPR consulting certificates ? Don't waste money on that.

I couldn't really recommend any consulting firm, I only know two of them and I am not involved (yet) enough in the process. But basically we (a public agency) went the consulting gig road and share the fee with other agencies.

Oh, and I am not a lawyer of course.

That's a really helpful description, thank you!

Nice! I built something like this a while back, never brought it to market. Might think about processing inputs and generating CSVs, having a simple tablular view in a dashboard, etc. It's a "backend for forms."

You might find useful a self-hosted headless cms


It looks real good. but I don't get the catch: is it free service ? is there a guarantee on the time between the user posting the form and me receiving the email ? what if your site is down ?

Excellent questions. It is free unless you want to use custom fields. The emails go into a queue which is listened for and processed when items are added. I have 3 that listeners that run simultaneously to handle email sending.

If the site goes down then the emails are lost. I'm still working on a solution of multi region load balancing with high availability to ensure this doesn't happen.

FYI, there's no guarantee of delivery, ever, where e-mails are involved. Guaranteed delivery is not one of its features. Best-effort store-and-forward, yes; for guaranteed delivery, you need a different tool.

(I do wonder what's in it for Jumprock, too)

Love these type of tools especially when using with github pages.

Anyone have any other tool recommendations that work well with github pages and other static sites?

I use Formspree [0] for GitHub Pages hosted stuff, and it is dead simple. I've never been spammed, as it requires a human click ("I'm not a robot") for the email to send.

[0] https://formspree.io

Staticman[0] is great. Same principle where you only have to POST to an API but with user content stored in Github. There's a free hosted version and it's open source.

[0] https://staticman.net/

Edit: Disclaimer: the company I work for Sponsor their hosting.

A stupid (but working!) solution I came up with the other day. Submit forms from your static site to Telegram: https://telegram.me/submissionsbot

What goes around, comes around I guess.

Back in the maelstrom that was Web 1.0, where every person and their dog were uploading static html pages to their 'webspace' via FTP, these sort of services were two-a-penny, many ISPs even offered them as part of their 'webservices' packages.

I'm not knocking it, it's just it's not a new idea.

Likewise I also have a similar service offering form endpoints. Plus I built a bootstrap-native form builder (generates a bootstrap form and inserts it with JS, not an iframe).

I also have Slack, and webhook notifications.


Nice! The alias (or the lack thereof) is one thing that keeps me from using Formspree, as I don't want the email addresses to be exposed.

One suggestion I have is to support aliases in CC and BCC fields as well. You already have the implementation.

Of course, the alias should support multiple email addresses in one.

You could use this docker image instead as well https://github.com/encryption/contact

I'm looking for something similar: A visual form builder that I can self host for a form just a little more complex than a contact form. Does anybody know a solution that offers that?


Thanks, but that's not self-hosted

For completeness, there’s also Formkeep (https://formkeep.com/) which is similar.

Is it possible to deliver the messages to the email server in an encrypted way? I would not want my business communication being sent via cleartext/email.

Things like this and Formspree are great for setting up a one-off site. If you get to choose the hosting though, Netlify offers form submission handling as part of their free tier, with email/Slack notifications, API access, and data export.


So, I take it they have never heard of simply doing

   <form action="mailto:destination@example.com" method="post" enctype="text/plain">
Simpler and does not disclose your data to third parties.

Simpler for you. Far more confusing for users ("I clicked this and now my e-mail client is open, is that some sort of hack?!?"). This used to be promising, way back when HTML started; as good as dead nowadays.

honestly what was just "created" serves no purpose. because I dont want to expose my address I use zappier and then add it to a google spreadsheet..

I must say "Honeypot" solutions don't work at all.

Any suggestion?

Is there a daily/monthly limit?

There is a soft limit of 200 emails per hour to prevent spam.

That's really cool! Thank you for building it.

literally 1 zappier integration.

How does it deal with Spambots?

One of the example forms has a honeypot input. Any submission where that field is non-empty is discarded.

This will not take a lot of time for spambots to figure out. Would it?

Are there any web-application-firewall level spambot filtering that would ensure that the bot traffic can be continually monitored and the rules to block spambots can be continually updated?

In my previous job an honeypot field with a random name in the form of email__($randomString of 3 to 6 chars) was enough to block 100% of the spam.

Simplicity is the ultimate sophistication.

Agreed. A honeypot worked 100% for me for a long time. I had a bot start to slip through, somehow, so I added an additional layer of protection. I began checking server side for the time between initial request for the page to submit. If less than five seconds, the submission fails. Still a simple idea, but the execution is a little more complex.

I'm sure you probably tested this with your particular needs, but just in case you haven't: five seconds is a long time and there are many forms that can be filled out by humans in less than that. I stepped on my own toes once setting what I considered to be reasonable minimums until I tried to use my own site and found myself getting blocked because I was submitting requests too fast.

Thank you. Yes. Excellent point. The particular form I needed this for is moderately involved, so I erred on the longer side. I suspect a spambot wouldn't want to intentionally throttle itself, but they may introduce a one- or two-second delay if this becomes common enough. Definitely have to tailor it to the form.

I am sure that worked for you and I do not want to undermine the importance of simplicity. However my question was drawn from my previous experience where it was one hell of a task to keep the spam bots out.

Therefore, just to offer a counterpoint, I would like to register my experience here. A random name surely did not do the trick for us. Simple tricks like creating a random hidden field would be broken by spambots in less than 48 hours. It took a great deal of expensive WAFs like Barracuda and a lot of Lua scripting combined with cookie analysis (and overall request header analysis) to detect spambots with only a 90%-95% accuracy and keep them out.

If a spambot targets you specifically, that's another story of course.

Most of the spambots jsut search for forms to fill on the internet.

As far as I know the reverse captcha (thats what the honeypot is) is still not seen by bots and they just fill out the field as per usual.

How do you filter spam ?

it says: honeypot input

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact