Integrating and using forms securely

Last updated:

This article provides you with a guide to integrating forms securely into your website and avoiding typical risks encountered during configuration.

Integrating forms into your website

Secure integration:

  1. Always use HTTPS when integrating your forms.
  2. Use the embedding codes provided without making any changes.
  3. Test your forms in a secure environment before going live.

Keep the following in mind:

  1. Do not use insecure JavaScript methods such as eval() or other dynamically interpreted code execution methods (e.g. Function, setTimeout("...")).
  2. Keep security-relevant scripts out of the global scope – no personal data or security-relevant data should be stored within this scope.
  3. Only use trusted libraries and plugins, because insecure third-party code sources are a weak spot that is frequently exploited by attackers.
  4. Where possible, implement a content security policy (CSP), so as to provide your users with an additional layer of security against insecure browser plugins.

Form configuration

  1. Use anti-bot protection (captchas) for publicly accessible forms. → Captcha
  2. Validate all user input – especially for security-relevant fields or fields with a specific format (e.g. email addresses, phone numbers and numeric values). Validators
  3. Limit file uploads to necessary file types and file sizes. → Upload file

Other security precautions

Feedback

ISO/IEC 27001 Icon
IT-Mittelstand Software Hosted in Germany
IT-Mittelstand Software Made in Germany