You Shall Not Pass – Best Practices for Secure Online Forms

Secure online forms are the first line of defense from cyberattacks. We take you through the best practices for immunizing your web forms against threats – the ones we regularly employ to keep our client’s digital assets secure.

Before the internet, scams and data security breaches were primarily physical, such as bank robberies or deceptive phone calls. However, the expansion of the internet has given rise to a new breed of threat: cybercrime

The stakes are high – any individual or company can have their sensitive information, financial assets, or passwords stolen without them even being aware. 

When discussing security exploits, people usually think about database breaches exposing private data such as usernames and passwords or malicious programs downloaded via email. It is a lesser-known fact that most online exploits occur through registration forms, contact forms, surveys, and the like.  

Web forms can easily become a point of entry for malicious actors. They contain several elements that can be misconfigured or misimplemented, potentially granting access to a company’s…well, everything. 

In this article, we will cover both basic and advanced security checks that we perform regularly (and would advise others to do the same) to ensure the online safety of our projects.

Understanding Online Form Security

Misconfigured server settings, failure to escape inputs when storing data in the database, or failure to implement a firewall can all lead to potential exploitation of a web form. It is crucial to take this aspect of online security very seriously and avoid cutting corners.  

To keep our databases and the information they contain safe from attacks, it is essential to prevent hackers from exploiting online forms to access our systems. 

We ensure form security by following the recommendations provided by OWASP Top Ten – it is a great starting point, but you can always do more. 

We rigorously test all our forms to ensure compliance with all ten recommendations, giving particular attention to preventing cross-site scripting, SQL injection, and data serialization vulnerabilities. By taking these measures, we can ensure safe and secure forms for our users.

Best Practices for Secure Online Forms

Implementing reCAPTCHA, Cloudflare, Honeypot

Think of these services as gatekeepers for websites. They verify if you are a real person before allowing you to perform any action, thus preventing robots from causing any trouble. We know pinpointing those bikes or traffic lights can be a hassle, but so is passport control, and it doesn’t prevent you from traveling. 

ReCaptcha and Honeypot work similarly, while Cloudflare uses a slightly different captcha service. It checks all incoming and outgoing requests from your websites, and the best part is that you only need to turn on the feature, and it will take care of the rest.

Input validation and sanitization

One way is by carefully checking the information you provide through forms. This is where input validation comes in. 

Input validation acts like a filter, ensuring the data you enter, like your email address or password, meets specific criteria set by the website. For example, input validation can make sure your email address follows the correct format or that your password is long enough to be secure.

Another important security measure is input sanitization.

Imagine input validation as a bouncer checking IDs at a club. Input sanitization would be a security scanner that ensures those IDs are genuine and not tampered with. 

Input sanitization further cleanses the data you enter, removing any potentially harmful code that could be used to attack the website or steal your information. It helps prevent malicious activities like XSS attacks, where attackers try to inject harmful code disguised as legitimate input.

Finally, a crucial security measure for web applications is the use of nonces. These are essentially unique one-time tokens generated for specific purposes, like protecting against a type of attack called Cross-Site Request Forgery (CSRF). 

CSRF attacks attempt to trick your browser into performing unauthorized actions on a website you’re already logged into. Nonces help prevent this by ensuring that any request sent to the website originates from a legitimate source and not a forged one. While nonces offer significant security benefits, they can sometimes pose challenges with website caching, as their one-time nature makes them incompatible with storing cached data.

Asynchronous data

Traditionally, when you submit a form online, your browser waits for the entire process to complete before displaying anything on the screen. This can lead to lag and a feeling of sluggishness, especially if the submission involves processing a lot of data or interacting with external services. However, with asynchronous data processing, form submissions are handled differently.

Let’s explain this in an example. A synchronous scenario would involve placing an order in a restaurant, waiting for the food to be prepared, eating it, paying, and leaving the restaurant. This can take quite some time, especially if the restaurant is busy. 

On the other hand, when ordering a meal from a delivery service, you place your order, and you can walk your dog, work, take a shower, or do whatever you please while the food is being prepared and delivered. 

This is what we call asynchronous processing. It allows users to continue interacting with the website while the form submission takes place in the background, improving the overall experience.  


Using Application Programming Interfaces (APIs) for form submissions offers additional security benefits. APIs act as communication gateways between different applications, allowing secure data exchange. 

Think of them as designated doors between two buildings. API endpoints, like specific doors within those buildings, can be equipped with additional security measures, such as passwords or access keys, to ensure that only authorized users can access and submit data through these designated channels.

We leverage an API call to handle all form data and uploaded files on our server, ensuring that the data follows a secure and controlled path. 

However, with file uploads often requiring separate API calls, it’s crucial to maintain data integrity. To achieve this, we generate a unique identification code (ID) for each uploaded file. 

The ID acts like a fingerprint, allowing us to compare it to our internal data and confirm its validity. Additionally, we restrict file uploads to occur only on our server, preventing any unauthorized transmission of external files to other services, which further enhances the overall security.

Data encryption

When you submit information through a secure online form, it’s like sending a secret message. To ensure that only the intended recipient can read it, we employ encryption. It’s like writing your message on a special sheet of paper that scrambles the words. Anyone who intercepts the message will see gibberish, making it impossible for them to understand its content.

Encryption works similarly for online forms. When you input sensitive data like credit card numbers or passwords, it gets scrambled using an advanced algorithm, such as the one we use, AES-256-CBC. This algorithm turns your information into an unreadable code, making it virtually impossible for anyone who might intercept it to decipher. 

For an additional layer of protection, we also utilize various hashing options. Hashing is a one-way process like fingerprinting. It creates a unique “fingerprint” of your data that can be used to verify its integrity.

Ensuring secure online forms with real-world testing scenarios

At Infinum, safeguarding your information is paramount. We achieve this through robust security practices, including thorough security testing that goes beyond the typical approach.

Our testing methods encompass real-world scenarios, employing both valid and potentially harmful inputs to uncover vulnerabilities attackers might exploit. These vulnerabilities include:

SQL injection

Injects malicious code disguised as regular input, aiming to manipulate databases and steal information.

Cross-site scripting (XSS)

Hides harmful code within seemingly harmless data, tricking users into unknowingly executing it.

Cross-site request forgery (CSRF)

Forges requests to your browser, attempting unauthorized actions like transferring funds.

By proactively testing for and promptly addressing these vulnerabilities, we ensure the security of your information.

Our focus extends beyond secure forms, meticulously examining all aspects of our web applications. This includes:

Authentication mechanisms

They allow us to verify user identities and ensure only authorized users can access sensitive information.

Authorization controls

These controls define who can access and modify specific data within the application.

Session management

Secure handling of user sessions to prevent unauthorized access and maintain data integrity.

Data storage practices

We implement best practices for storing and protecting sensitive information, such as encryption.

Furthermore, we conduct stress testing, simulating high user loads, excessive data inputs, and unexpected traffic spikes. These methods help identify potential bottlenecks or failure points before they impact real users, ensuring the reliability of our applications.

By combining these comprehensive testing methods, we strive to create a secure and reliable environment for the users to interact with the applications we build.

Introducing Eightshift Forms – the perfect plugin for secure online forms

We created the Eightshift Forms plugin to simplify creating and managing forms for WordPress websites. Whether you need a simple contact form or a complex multi-step survey, this package provides the flexibility and tools you require to achieve your goals quickly.

We take security seriously and have implemented all the recommended measures mentioned above. In addition, we have added an extra layer of security features, such as rate-limiting form submissions, to prevent simple DDoS attacks, regardless of how the client has configured the server. 

This feature logs every user’s request and counts the number of times the same user has submitted the same form, preventing misuse if the limit threshold has been exceeded. To achieve this, we store the users’ IP addresses and the number of requests made within a given period. To comply with GDPR, we hash all IP addresses to ensure that no “real” user data is contained on our servers.

For more information on this feature, please refer to our documentation.

When the security of web forms is put to the test

edited: May 17, 2024

Incidentally, just one day after we published this blog post, someone launched an attack on our web forms. We know that the attack originated in Poland and began at 5:15 AM, and we know that our web remains intact thanks to the form security measures laid out in this article.

Firewall blocked: ~120 000+ requests

Forms security blocked: ~1500+ requests.

Requests passed: 0.

Secure online forms – your cybersecurity frontline

While online security is a vast and complex topic, web forms present a particularly susceptible element that malicious actors and bots love to target. 

To keep your data secure and your reputation intact, it is essential to follow standard form security practices and not cut any corners. Once you lose the trust of your clients and users, it’s too late. 

Following the approaches described above allows you to be proactive in ensuring security. If you need any help in this regard, check out our cybersecurity services.