If you have private data collected from online web forms, the security of your forms should be paramount. Failing to take the security of your forms seriously could lead to a myriad of problems, including being locked out of your own website. Any form where data is collected is a potential target for people looking to steal data. Below are some tips to keep your data secure.
Do not use revealing error messages
There is a fine line between giving a friendly error message when incorrect information is entered into the form and helping a hacker know what to do next. For example, if you say “password does not match” then you are letting potential crooks know that is the form element to keep trying because the username is most likely correct. A better message is “Username and password do not match”.
Test your forms
Make sure to test your forms by using every character on the keyboard and potentially even double byte characters. Also, test against at least the Top 10 vulnerabilities published by OWASP.
Monitor failed attempts
A great way to thwart hacking attempts is to limit failed form attempts to 3-5 tries no matter what data they collect. It is very common for attempts to be made on a lead generation form, login form and even username/password recovery forms aimed at accessing your database. Be aware that even if the form does not let them access the data directly it could leave hints in the form of errors that give insight into where the data is stored. Common examples are the server directory location, database type or web services running on the server.
Use a professional service
If you are not tech savvy at building & testing forms, then consider using a professional service such as Wufoo. Companies like Wufoo are dedicated to building forms and have teams in place for security, taking the burden off your shoulders. You should still test your forms and use the other tips in this article.
Avoid free scripts available online
Do you know exactly what that free script code you downloaded does? Are you able to read the code and say I know what is going on here? If the answer is no then you should probably avoid using the script for any type of data collection or storage. People who know how to read the script have the same access to it as you do; including the installation instructions. This may serve as a roadmap to enter your server and access the private data you collected using the form.
Don’t be afraid to generate leads using web forms; just be very careful about it and test everything.
Image Credit: CarbonNYC