Securing Web Forms

Drupal Version

If not properly secured, forms can easily be used by hackers and automated "bot" programs to gain access to information within our sites, deface a site, or or even gain access to all the sites on a shared server.  The following is a non-exhaustive list of tips for making any web-based form more secure.

Form Safety Tips

  • Never ask for sensitive information or information you don't need. Examples include birth date, credit card number, student data (including GTID), and other sensitive data.
  • Protect your form with CAS login (for campus) or with CAPTCHA (for people without GT accounts).
  • Remove old data and forms.
  • Regularly archive and then delete old submissions and forms
    • Go in every month or semester and download the old submissions to a spreadsheet, and then delete those submissions from the website.
    • Close or remove web forms when they are no longer in use.
  • Use SSL / HTTPS for your site.