What is JotForm?
JotForm is a free online form builder which helps you create online forms without writing a single line of code. No sign-up required.

At JotForm, we want to make sure that you’re getting the online form builder help that you need. Our friendly customer support team is available 24/7.

We believe that if one user has a question, there could be more users who may have the same question. This is why many of our support forum threads are public and available to be searched and viewed. If you’d like help immediately, feel free to search for a similar question, or submit your question or concern.


  • Profile Image

    Embedding a secure (HTTPS) form on an insecure (HTTP) website

    Asked by BDH0001 on May 31, 2016 at 08:00 AM

    Good Day,

     

    2 Questions

     

    Question 1

     

    When I embed a form into my HTTP site it obviously shows the user that it is not secure. My question to you is, will the actual data being transmitted to you be encrypted when the user clicks the send button ?

    Question 2

     

    I would actually rather use a link for the form but can't get it to display nicely on mobile phones. The preview in your designer also shows it looking rather stupid. All the fields are shrunk to tiny proportions. I have ticked responsive in the form settings. This makes absolutely no difference.
     

     

    Looking forward to your reply.

    Regards, Brian

     

    embedding a form Mobile preview settings site secure form
  • Profile Image
    JotForm Support

    Answered by Boris on May 31, 2016 at 08:51 AM

    Our forms will submit by using HTTPS as the form's submission page, which means that the form will always try to submit securely.

    However, due to technical reasons and many kinds of attacks that can be carried against a HTTP website (such as man-in-the-middle inserting malicious scripts into your site), when the form is used on a HTTP website, it can only be considered a fully secure form if the user is using a direct HTTPS link to access that form.

    You can see direct link to your form by clicking on the Publish button:

    Next best thing is the iFrame embed method, as iFrame will sandbox the form and prevent most interactions between scripts of the website and scripts of the form:

    https://www.jotform.com/help/148-How-to-get-your-Form-s-Iframe-Code

    Any other embed methods will be vulnerable to attacks that may be performed against a HTTP website, so would not be secure on a HTTP website.

    Since your second question is not related to embedding a form securely on a HTTP website, it has been moved to a separate support thread:

    https://www.jotform.com/answers/850417

    We will be assisting you with that other issue there, shortly. Thank you.

  • Profile Image

    Answered by cgl102770 on June 09, 2016 at 11:18 AM

    I'd like to clarify something, because I think I'm reading something different about the security of your forms on a different thread, but maybe Im misunderstanding things. In this thread below, support is saying that the embeeded form will still be "as secure as possible, even if the site isnt HTTPS."  

    https://www.jotform.com/answers/405487-How-to-embed-an-SSL-form-with-a-WordPress-plugin

     

    However, this thread seems to be saying that even by doing all of those things, a form on an HTTP site still wont be as secure as a form on an HTTPS site. Im asking because Im doing an online mortgage application for a client, and the form asks for things like social security number, etc.

  • Profile Image
    JotForm Support

    Answered by Boris on June 09, 2016 at 12:37 PM

    I'm afraid there may be slight confusion, so I'll try to clarify. Our form will always submit the response in a secure manner, which is what my colleague referred to on the other thread - the form response will be submitted over HTTPS even if the form is embedded on a HTTP website.

    That is not the security issue that is being described here. The security issue is that a HTTP website is inherently vulnerable to attacks, which means that a person can perform a man-in-the-middle attack against your HTTP website and steal users' information before it is ever submitted to our servers.

    Our form on its own submits the data securely, but if it is used on an insecure HTTP website, such insecure HTTP website can be attacked at any time an there is no sensible way for users to detect such an attack. For example, I would recommend reading through the following question on security.stackexchange.com:

    https://security.stackexchange.com/questions/894/are-there-security-issues-with-embedding-an-https-iframe-on-an-http-page

    The first response perfectly describes the vulnerability of HTTP sites. When you embed our secure form on an insecure (HTTP) website, and attacker can easily edit the HTTP website and place anything else instead of our original secure form. They can place their own phishing form instead.

    The above is about the safest way to embed the form, which is the Iframe embed method.

    The problem becomes much worse for the script embed codes, since in that case scripts of the HTTP website can access anything the form itself can. This means that an attacker doesn't need to replace the form when it is embedded in this manner, but merely inject their malicious script that can collect your keystrokes, and know everything you have submitted on our form.

    So while our forms are always trying to be as secure as possible, if embedded on an insecure HTTP website, the form cannot be considered as secure and sensitive data should not be collected there. If your website is HTTP only, then it would be best to use direct links to your secure JotForm forms, rather than embedding them.

    If you need further clarifications, please let us know.