Form Security
Critical SeverityWhat This Check Measures
This check detects whether HTML forms exist on pages served over HTTP (non-encrypted connections). Forms on HTTP pages expose user input to interception.
Why It Matters
- Credential Theft — Login forms on HTTP expose usernames and passwords
- Payment Data — Credit card forms without HTTPS violate PCI-DSS compliance
- Personal Information — Contact forms leak email addresses, phone numbers, addresses
- Man-in-the-Middle Attacks — Attackers can capture or modify form submissions
How Data Is Obtained
Source File
src/checks/safety.check.js
Function
SafetyCheck.analyze(url)
Inputs
- url — To check if HTTPS is used
- response.data — HTML content from the HTTP response
Detection Logic
// Check for forms on non-HTTPS pages
const hasFormWithoutHttps = response.data?.includes('form')
&& !url.startsWith('https://');
checks.push({
name: 'Form Security',
status: hasFormWithoutHttps ? 'fail' : 'pass',
description: hasFormWithoutHttps
? 'Forms detected on non-HTTPS page'
: 'Forms properly secured or no forms detected',
severity: 'critical'
});Libraries
axios— Used to fetch the page HTML viaresponse.data
Status Values
| Status | Condition | Meaning |
|---|---|---|
| pass | HTTPS is used OR no forms found | Forms are secure or the page doesn't collect user input. |
| fail | HTTP + forms detected | User data submitted via forms can be intercepted. Critical risk. |
Severity: Critical
This check has critical severity because:
- Forms typically collect sensitive user data
- HTTP transmission exposes this data to anyone on the network
- Even "harmless" forms can leak personal information
- Users expect their input to be protected
Impact on Category Score
As a critical severity check, a fail status significantly reduces the overall Safety & Threats score.
Limitations
Detection Limitations
- Uses simple string matching (
includes('form')) - May false-positive on pages mentioning "form" in text content
- Doesn't check individual form
actionURLs - Doesn't detect JavaScript-generated forms