Driscoll Web Development Blog

Get information, tools, news, tips, and more from the expert web developers at Driscoll Web Development.


Friday, November 30, 2007

4 Ways to Keep Your Forms Safe

It's every webmaster's deepest fear, and as developers we hear about it more and more each day: brute force attacks on online forms that litter websites, databases, blogs, forums, and inboxes with unwanted Spam. From the webmaster's perspective it's both tedious and costly to remove database records and blog/forum comments that promise everything from free Viagra to... well, things we won't even mention here. And, not only do these Spam attacks cause eyesores in visual content, they also eat up bandwidth and storage space - both precious commodities these days.

Here are some ideas for webmasters and web developers to implement in order to keep their forms from becoming targets for Spam attacks.

1. Validate Form Input on the Server
This seems like an obvious step to take, but there are still so many websites out there that do not implement server-side validation of form input. Web developers often complain that server-side input validation impedes usability and page flow by adding an additional step to the form-filling process, but the rise of AJAX has rendered that complaint all but obsolete. Current technologies such as AJAX make communicating with the server in real-time (as the form is being filled) possible, thus form inputs can easily be validated on the server without causing headaches for the end-user. We recommend using Regular Expressions to search for unwanted input.

2. Implement CAPTCHA Verification on Your Form
CAPTCHA, short for "Completely Automated Public Turing test to tell Computers and Humans Apart", is quickly becoming the de-facto standard for protecting forms against brute force attacks. The method typically involves the use of an image that contains heavily distorted text on a "noisy" background (see image below). The way in which the image appears prevents computers from successfully solving the problem of identifying the character sequence, however to a human it's easy to see that the words are "following" and "finding."

We subscribe to the DRTW principle when it comes to this topic, so we highly recommend implementing a third-party CAPTCHA solution on your form rather than trying to code it yourself (freeCap, available from pureMango, is our favorite). However, if you're really in an ultra-nerd mood and want to see how it's done, we recommend taking a look at this article.

3. Make Your Form Un-searchable
If the page that contains your form shows up in search engine results, you're pretty much asking to be spammed. There are four things that you can do to get your forms out of search engine results:
  • Add a <meta> tag to the <head> of the page to keep search engines from indexing your form page.
  • Create a robots.txt file and upload it to the root directory of your web server to keep search engines from indexing your form page.
  • Remove all <url> elements from your sitemap that contain references to your form page.
  • Request that the specific URL for your form page be omitted from search results (See Yahoo! SiteExplorer and/or Google Webmaster Tools for more information on this).
Of course, many webmasters and business owners bristle at the idea of making their forms "invisible" to the eyes of potential visitors, but in our opinion the benefits of doing this outweigh the risks of being spammed.

4. Make Your Form Load Dynamically
The idea of loading page content dynamically from a database or script when the page loads is certainly not a new one. However, when it comes to forms, most developers hard-code form elements into the page. A dynamically loaded page is nearly impossible to cache, making it nearly impossible for attackers to find (the attacker's user-agent would have to load the page in order to discover the form).

It is difficult to guarantee the safety of online forms against malicious attacks. As much as we use new technologies and coding practices in our work, those who seek to do us harm are learning those same technologies in an attempt to find ways to exploit them. So, while these 4 tips will help you a great deal to keep Spam attacks from occurring on your website, you should always be looking for new and different ways to secure your form from attacks.

-DWD Staff

Labels: , ,