← Back to article
Serverless Form Architecture Checklist
Free checklist from our serverless contact form guide
Audit your serverless contact form backend against production-ready architecture, security, and operational standards.
Check your inbox! We sent you a link to the PDF version.
Instructions
Work through each section before deploying your serverless form backend to production. Start with API Gateway and Lambda configuration, then work through storage, email, security, and monitoring layers.
1. API Gateway Configuration
- CORS AllowOrigins restricted to your specific site domains (no wildcards)
- AllowMethods limited to the HTTP methods your API actually uses
- AllowHeaders includes only required headers (Content-Type, x-api-key)
- Stage name configured (not using the default stage)
- Throttling and burst limits reviewed for your expected traffic
- Custom domain name configured with TLS certificate (if applicable)
2. Lambda Functions
- Each function has IAM policies scoped to only the resources it needs
- Runtime is current and supported (not approaching end-of-life)
- Timeout set appropriately for each function's workload
- Memory sized for the function's actual requirements
- Environment variables used for all configuration (no hardcoded values)
- Sensitive parameters use NoEcho in CloudFormation
- Error handling returns safe error messages (no stack traces or internal details)
- ARM64 architecture enabled for cost and performance benefits
3. DynamoDB Design
- Partition key design supports your query patterns without hot partitions
- Sort key enables time-range queries and natural ordering
- TTL enabled with appropriate retention period
- PAY_PER_REQUEST billing mode used for low and variable traffic
- Point-in-time recovery enabled if data loss is unacceptable
- No sensitive data stored without encryption consideration
4. SES Setup
- Sender domain or email address verified in SES
- Production sending requested (out of SES sandbox) if sending to unverified addresses
- SPF, DKIM, and DMARC records configured for sender domain
- Bounce and complaint SNS topics created and connected to SES configuration set
- Email suppression list implemented and checked before every send
- Bounce rate monitored (SES suspends sending above 5 percent)
- Complaint rate monitored (SES suspends sending above 0.1 percent)
5. Rate Limiting and Spam Prevention
- Rate limiting implemented per email, per site, per time window
- Rate limiter is fail-closed (rejects on check failure, not fail-open)
- Honeypot field added to frontend forms (hidden field, no CAPTCHA friction)
- Input validation enforces required fields, types, and size limits
- Schema registry maps submission types to required data fields
- Payload size limits prevent abuse (max keys, max value length)
- Email format validated on both frontend and backend
6. Monitoring and Alerting
- CloudWatch log groups created with defined retention periods
- Structured JSON logging used in all Lambda handlers
- Metric filters track errors, rate limit hits, and successful submissions
- Metric filters track bounces, complaints, and authentication failures
- Alarms configured with appropriate thresholds and evaluation periods
- Alarm notifications delivered to the right team or channel
- Cold start tracking included for performance monitoring
7. Multi-Site Readiness
- Site registry maps site identifiers to per-site configuration
- Schema registry maps submission types to validation rules
- CORS allowlist includes all site origins
- Per-site notification emails configured
- Per-site branding configured for email templates
- Adding a new site requires only config changes (no new infrastructure)
Priority Review
| Component | Risk Level (H/M/L) | Top Finding | Remediation Owner | Target Date |
|---|---|---|---|---|
Found this useful? Read the full article:
Read: Serverless Contact Forms with AWS SAM: Why They Win on Cost, Security, and Simplicity →