6 tips to improve the security of your web forms

6 tips to improve the security of your web forms

One of the main considerations when creating a website is the security of the forms. These can become sensitive points of entry into the system. An insecure form can range from overloading a server to accessing and modifying information stored in a database. Here we list 6 simple steps to ensure that the forms of a web project are protected.


Any form should always send the information of its content using the POST method. With POST, the form values ​​travel hidden to the destination script. If a form uses the GET method, all information on it will be displayed in the address bar of the browser.


It is necessary that the script that is going to process the form information has some way of recognizing that the information actually comes from the form for which it was designed. To do this, you usually use a token or encrypted code that is sent as a hidden field in the form and that the script can decrypt to validate whether it processes or rejects the form.

Most web development frameworks, such as Cake PHP , already integrate the token as an automatic validation in their forms.

CSRF protection

CSRF stands for Cross Site Request Forgery in Spanish. This type of vulnerability tries to send data from a form to a script located on a different website. To avoid this attack you must check the website from which the form comes from. For example, in PHP you can use the variable $ _SERVER [” HTTP_REFERER “] to validate where the information comes from. However, this variable can be modifiable or not provided, so a more reliable way to validate that the form has been sent from the corresponding domain is by using Cookies.

Validations Java script

Validating that the required fields of a form are completed and having an appropriate format and extension greatly improves the user experience and makes it difficult to attack. You must verify that the form fields allow a reasonable amount of characters and that they respect the requested format. For example, using JavaScript, you can limit a field to only support numbers.

There are many libraries for java script that allow to facilitate the validation of a form before its sending. For example Jquery Validate is a plugin of the Jquery library that allows validations of numeric fields and emails in a very simple format. Similarly, Masket Input is another Jquery plugin that not only restricts the type and number of characters supported in an input, but also gives them format as the user types.

Internal Validations

However, browsers allow you to disable JavaScript, which is why it is necessary to validate the fields and their format from the final script. This is important since malicious attacks could try to send code by a form, which when read or deployed could run and cause serious problems. This type of attack is known as XSS or Cross Site Scripting. In PHP, for example, a simple line of code would allow you to filter an entry depending on whether you want to receive text or html code:

// assuming that $ entry saves the value sent by the form // $ entry_txt will store a string of secure text $ input_txt = htmlentities (trim (strip _tags (strip slashes ($ entry)), ENT_NOQUOTES, “UTF-8”); // in this case $ entry_html will store a string with html $ entry_html = strip_tags (htmlentities (trim (stripslashes ($ entry)), ENT_NOQUOTES, “UTF-8”);


A captcha is a distorted image that contains a code that the user must read and enter in a field of the form. The idea is that being an image and being distorted will prevent malicious code from sending attacks on the form.

They are simple steps, simple validations that can save you money and many headaches.