Home / Codex / Insecure Forms and Data Submission
HIGH

Insecure Forms and Data Submission

Description

Forms that submit sensitive data over insecure connections or lack proper security controls can expose user information to attackers. This includes password fields over HTTP, missing CSRF protection, and inadequate input validation.

When forms are submitted over HTTP (not HTTPS), data is transmitted in plain text. Attackers on the network can intercept this traffic and steal passwords, credit card numbers, and other sensitive information.

Missing CSRF (Cross-Site Request Forgery) protection allows attackers to trick authenticated users into performing unwanted actions, such as changing account settings or making unauthorized transactions.

Potential Impact & Risks

  • Password theft and credential stealing
  • Man-in-the-middle attacks
  • Cross-Site Request Forgery (CSRF) attacks
  • Session hijacking
  • Data tampering and manipulation
  • Account takeover

Remediation

Immediate Actions

1. Enable HTTPS for entire website (not just login pages)

2. Add HSTS header to force HTTPS

3. Implement CSRF protection on all forms


Form Security Checklist

1. **Use HTTPS**: All forms must submit over encrypted connections

2. **CSRF Tokens**: Include anti-CSRF tokens in all state-changing forms

3. **Input Validation**: Validate and sanitize all input server-side

4. **SameSite Cookies**: Set SameSite=Strict or Lax on session cookies

5. **Secure Attributes**: Use secure, httpOnly flags on cookies

6. **Content Security Policy**: Implement strict CSP headers

7. **Rate Limiting**: Prevent brute force attacks

8. **Autocomplete Off**: Disable on sensitive fields

Code Examples

// ❌ BAD - Insecure form:
<form action="http://example.com/login" method="POST">
  <input type="password" name="password">
</form>

// ✅ GOOD - Secure form:
<form action="https://example.com/login" method="POST">
  <input type="hidden" name="csrf_token" value="{{csrfToken}}">
  <input type="password" name="password" autocomplete="off">
</form>

// Backend validation:
app.post("/login", validateCSRF, rateLimit, async (req, res) => {
  // Verify CSRF token
  // Validate input
  // Authenticate user
});

Further Reading