I have a form where some users can enter up to three emails to invite friends to the website.
I have a technical question, how can I prevent someone from somehow using malicious code to send thousands of emails (instead of up to three).
PS: this website is built with React.js.
You likely need some backend check. Like requiring a valid email or login and having a fixed number of emails each client can send per valid email or login. You would need some backend to keep track of the submits per user (email/login/IP).
Without knowing more about how the form submit is handled it’s hard to really make any recommendation.
What you might be able to do is use ratelimiting. Try using the
express-rate-limit npm package (if you are using node) or store some cookies to make sure a user can’t send more than three emails.
If you are using accounts and authentication, It’s best if you use @lasjorg 's example.