What is JotForm?
JotForm is a free online form builder which helps you create online forms without writing a single line of code. No sign-up required.

At JotForm, we want to make sure that you’re getting the online form builder help that you need. Our friendly customer support team is available 24/7.

We believe that if one user has a question, there could be more users who may have the same question. This is why many of our support forum threads are public and available to be searched and viewed. If you’d like help immediately, feel free to search for a similar question, or submit your question or concern.


  • Profile Image

    Forms Should be Saved Securely Since They Might Contain API Keys

    Asked by NACUMS_org on April 14, 2014 at 10:55 AM

    I was reading abut the Heartbleed Vulnerability on secure sites and wondered about JotForms.  When we log into our accounts with our user names and passwords, is this information transfer protected in any way?  What about when we are designing forms and using the payment wizzard to establish a payment method?  In this case, we are required to enter our API Login ID and Transaction Key information?

    JotForm payment method protected transaction and
  • Profile Image
    JotForm Support

    Answered by EltonCris on April 14, 2014 at 12:17 PM

    Hi,

    Thank you for asking. Although we aren't attacked, all Jotform servers has already been patched against vulnerable OpenSSL called Heartbleed. This was performed right after the news got viral last week. In short, we are clean against heartbleed.

    You can run a test here. http://filippo.io/Heartbleed/#secure.jotform.com

    Regards!

  • Profile Image

    Answered by NACUMS_org on April 14, 2014 at 12:39 PM

    Thank you, but Heartbleed only started me thinking about security.  My two questions were more specific.

    1.  When we log into our accounts with our user names and passwords, is this information transfer protected in any way?

    2.  What about when we are designing forms and using the payment wizzard to establish a payment method?  In this case, we are required to enter our API Login ID and Transaction Key information?

    In both instances, I don't see any SSL link saying that my passwords and credit card merchant codes are being transferred to JotForms or imbedded into my payment wizard in a secure manner. I understand that people using my forms are transmitting information securely, but what about the confidential information I transmit to build my forms?

  • Profile Image

    Answered by jedcadorna on April 14, 2014 at 02:01 PM

    1.  When we log into our accounts with our user names and passwords, is this information transfer protected in any way? Your username and password are encrypted and accessed from our database and I believe our Cloud Server provider uses a high grade encrption to protect your data. We uses Cloudflare as our hosting provider.


    2.  What about when we are designing forms and using the payment wizzard to establish a payment method?  In this case, we are required to enter our API Login ID and Transaction Key information?

    Jotform doesn't hold any credit card information from our servers what we do is link your payment form to any of the payment processor available on our site, That's what API does it uses your API credential from ex. PayPal to link your payment from Jotform to PayPal so no sensitive information are exposed here.

    To make your form more secure you can always use our SSL submissions. Take note that SSL submissions differs per package if you have questions about the package per plan you can go to our pricing page http://www.jotform.com/pricing.

  • Profile Image

    Answered by NACUMS_org on April 14, 2014 at 03:25 PM

    Let me try one more time on question 2.  I am not asking anything about SSL and form submissions.

    Specifically, my question is:  As I am designing a form with the payment wizard using Authorize.net, I have to fill in my payment wizard account information.  I am including both my API login ID and my Transaction Key Code.  Both of these pieces of information are quite sensitive.  Since this form design process is not over an SSL link, how is this information protected from interception when I click the finish button?

    Please Note:  This question regards form design, not form submission.

  • Profile Image
    JotForm Support

    Answered by Mike_T on April 14, 2014 at 04:57 PM

    I think that you are right, and in theory if someone is sniffing your network traffic they might be able to see the form properties with sensitive data.

    That is why we recommend to use an SSL version of the website when you work with the sensitive information:

    https://www.jotform.com/

    This way you will be protected.

    Also, I will submit a ticket to our Dev Team to see if we should do anything about the regular version of the website.

    Thank you.

  • Profile Image

    Answered by NACUMS_org on April 14, 2014 at 05:13 PM

    Thank you, Mike.  I never realized that this was available.  I feel much better.

  • Profile Image
    JotForm Support

    Answered by Mike_T on April 14, 2014 at 05:14 PM

    You are quite welcome. We will also let you know if we have any updates on this.

  • Profile Image
    JotForm Founder

    Answered by aytekin on April 15, 2014 at 09:50 AM

    The login is done over SSL, but the form builder saving is not done over secure server. So, thanks for bringing this to our attention. I have opened a ticket about this. 

  • Profile Image
    JotForm Founder

    Answered by aytekin on April 15, 2014 at 09:51 AM

    By the way, in case the support team has not mentioned it you can always using https://www.jotform.com (https as oppose to http) to make sure everything is secure.