Form Spoofing

The website Php.Net offers this important perspective (a new window or tab will open):

The Internet is filled with people trying to make a name for themselves by breaking your code, crashing your site, posting inappropriate content… . Many cracking programs do not discern by size, they simply trawl massive IP blocks looking for victims. Try not to become one.

Form spoofing is one of the easier ways to be victimised by criminals online.

Websites use forms to collect information. Your website, for example, may have a contact form to collect a user’s email address, after which it will send an email to someone in your community. Most contact forms simply have a place to input text. Some may use buttons or checkboxes to collect additional input.

Email contact forms are common, convenient, and do add some level of security. They can, however, be much more secure – and they should be.

A completely secure system is impractical, and so it is probably impossible. Are you going to install biometric validations, such as retinal scans or fingerprints? Likely not – and even if you did, a relatively simple form might take 10 minutes to fill out. It’s impractical, and so it is probably impossible.

You need to balance usability and risk, but it’s reasonably simple to spoof a form — and reasonably easy to target harden the form.

Security By Design

Your obligation to your users is to make form spoofing extremely difficult. It’s vital that your contact form be designed to produce maximum security with minimal inconvenience.

  • Some contact forms permit users to email multiple contacts. Avoid this.

Your user can only send a single email on the form. Permitting multiple contacts from the same form simply sends one email to many people. Where is the convenience in this?

  • Your content management system has form design options. Use these with caution.

Form design plugins are amazing technologies. Coding for security, however, is not necessarily a top-of-mind consideration. Speak to your IT expert to assess whether additional PHP scripting should be added to make the form more secure.

Security By Obscurity

In other contexts, this should be avoided. In this discussion, however, security by obscurity simply means that your forms use a practical, unobtrusive security system to let the user simply fill out the form and move on.

Complexity can invite security breaches: inconvenience is something users will try to find a way to overcome, even if it makes them safer.