Accessibility info

The Banyan Theory Blog

Validating Your Forms Are Secure

Nick
posted by Nick
on

We often receive the following request from our customers:

It’s time for our business insurance policy to renew, and the insurance company says our contact form is not secure. They will not renew our policy unless the form is secured with HTTPS. Can you help?

What your insurance company wants is to make sure any information your customers submit through your website is secure (encrypted in a way that it cannot be intercepted).

It may appear to the untrained eye that your contact form is not secure, but if we host your website, you can rest assured that it is. If you want to know how you can verify this, whether we host your website or not, continue reading…

1. Is My Contact Form Secure?

If you have an insurance website from Banyan Theory, the answer is yes.

If you have a website from another company, the answer is maybe. (In that case, if you’re interested in getting a high-quality insurance website, check out our design gallery and then get an instant quote.)

2. How Can I Prove It To My Insurance Company?

The easiest way to check whether or not a form is secure is to use our handy Secure Form Checker tool. Simply visit the page on your website that houses the form in question, copy the page URL from the browser’s address bar, paste the URL into our form checker, and click the Check Forms button. Or, as a shortcut, you can start from here:

(Please enable JavaScript in your browser to see this form)

This will check all of the forms that appear on your page.

3. How Can I Prove It Without Using Your Tool?

There are two simple ways of determining whether a form’s data will be submitted securely. This is what your insurance company cares about.

Option 1 – Submit an Empty Form

The easiest way is to try submitting the form without any data in it. After submitting, look at the page’s URL to see whether it begins with http:// or https://. If it’s https://, then the form was probably submitted securely. (See technical explanation and fine print below.)

Option 2 – View the Page Source

A slightly more difficult way is to view the source of the web page by choosing View > Source (or in a modern browser like Chrome, Safari, or Firefox, right-click on one of the form’s fields and choose “Inspect Element” from the menu that appears). Then, find the <form> tag and look at its action attribute. A simple form may look something like this:

<form action="https://agency.com/go">
  <input type="text" name="email_address"/>
  <button type="Submit">Sign Up</button>
</form>

Let’s assume the form above is at http://agency.com/contact, a non-secure URL. The form’s action, however, begins with https://, so the form will be submitted securely. (To avoid the possibility of a third party tampering with the page before the form is submitted, the page containing the form should be served over HTTPS.)

Although uncommon, the opposite is also possible – for a non-secure form to be placed on a secure page. In this case, even though the page itself is secure, the form data will not be submitted securely.

4. Technical Explanation

When considering technical security issues, things can get confusing until they’re broken down into simpler parts. The part we want to determine here is whether or not a form on a web page will be submitted securely.

First, let’s define what we mean when we say a form will be “submitted securely.” There are two basic ways of submitting a form on a web page: non-securely (also called in the clear), and securely (also called encrypted).

In general, each form has an action attribute, which tells the browser where to send the form data when the form is submitted. If the action starts with http:// the form data will be sent non-securely. However, if the action starts with https:// the data will be sent securely (note the addition of the “s”, which stands for secure).

It’s common to have a form action that does not start with either http:// or https://. In these cases, the browser will obtain the scheme (http:// or https://) from the URL of the page where the form appears and will prepend the scheme (and the host if necessary) to the action.

For example, if you have a form at https://agency.com/contact with an action of /submit, then the form will be submitted securely. (Specifically, the form data will be submitted to https://agency.com/submit.)

The important thing to note about this example is that a form can use the scheme from the page URL, but it doesn’t have to.

Now for the fine print. Although not likely and not very common, it’s possible for a website to use JavaScript to submit a form’s data to somewhere other than the form’s action. Banyan Theory does not do this. The only way to know for certain whether a form’s data is being submitted securely is to use a network protocol analyzer, which is a software application that runs on your computer and watches network traffic as it comes and goes. When a form is submitted on a website, the analyzer will show you exactly what was submitted and to where. This will tell you with certainty whether the form data was sent securely or not.

5. Questions?

If you have questions about whether a form on your website is secure and our Secure Form Checker tool isn’t getting you everything you need, please feel free to get in touch. If you have general questions or helpful comments, please leave a comment below.

Share this — 

Article Comments

There are no comments yet.

Be the First to Leave a Comment

Indicates a required field

(Do not fill out this field, or your comment will be ignored. This field is here to help us protect against automated comments.)
Your name, comment, and URL will appear above after approval. Your email address will not be published.