Forms are one of the major sources of security and spam problems on sites and web applications, as they are the main way in which user can enter data into an application. An insecure form can lead to a variety of problem, either during the processing of the data send, by adding spam to the website or by exploiting the server’s email delivery systems, to name but a few examples.
It is therefore impotant to pay special attention to them in order to mitigate the most common problems. There are several systems that we can use to increase security in form, that we are to analyse on this post.
One of the major problems on forms is that robots send information, searching and exploding detected vulnerabilities. It is therefore essential that we make sure that it is really humans who are interacting with our forms. This can be done by incorporating a suitable captcha system. There are several alternatives on the market, but just as they appear, they disappear. One that has survived and that we can trust is reCaptcha, a service offered by Google. Basically, it is a very user-friendly system that is often validated by simply clicking a checkbox. We are sure we have seen the reCaptcha interface on websites dozens of times. It looks something like this:
The reCaptcha security systems for forms is free in most of the cases. It requires registry to obtain a couple of passwords, the website one and the secret password. We can make this easily on the section «Admin Console» of the reCaptcha webpage. Once registered on the service and having registered the website, we have to do the programming to integrate it into the system, but sometimes it is as simple as configuring the corresponding plugin in our CMS.
There are dozens of plugins to agregate reCaptcha to WordPress. One of those with the most facilities and higher ratings is es Advanced noCaptcha & invisible Captcha. If we are developing with PHP it is also perfectly possible integrate reCaptcha by hand, but if we are based in this package we would have it easier: No-Captcha reCaptcha.
Avoid CSRF attacks
Another of the evils of forms are CSRF attacks(Cross-site request forgery), that occur when POST requests are made from other domains, which cybercriminals exploit to hijack open sessions on the attackes sites. CSRF is generally based on a token, which is simply validated before acepting the processing of information coming via POST requests. The majority of frameworks (among them Laravel or Symfony) include by default protection anti CSF, another reason to use them.
WordPress has also protection againts this kind of attacks, but it is important that your plugin includes it, as on the contrary your froms would be unprotected by this habitual vulnerability. To improve security on contact forms we recommend use any known plugin, to ensure better security standards, as Contact Form 7.
If you develop in PHP and you are not very fluent in ensuring the security of the forms, we recommend that you rely on a open source package that provides you with a robust code base. In this sense, a good tool for generating forms, both for the client side and the server side, is Nette Forms.
Validation and sanitisation
Of course, if you are the one programming the site, it is important to take into account needed procedures to ensure that the received information is correct and does not present a problem. For this is important to validate and sanitise. PHP offers a series of filters to sanitise the data received by POST and GET methods. You can consult them on the sanitisation filters page. See also the validation fliters page.
If you are programming under WordPress, the Codex offers a full page dedicated to filtering ans sanitasing functions.