Embedding a secure (HTTPS) form on an insecure (HTTP) website

  • Profile Image
    Asked on May 31, 2016 at 08:00 AM

    Good Day,


    2 Questions


    Question 1


    When I embed a form into my HTTP site it obviously shows the user that it is not secure. My question to you is, will the actual data being transmitted to you be encrypted when the user clicks the send button ?

    Question 2


    I would actually rather use a link for the form but can't get it to display nicely on mobile phones. The preview in your designer also shows it looking rather stupid. All the fields are shrunk to tiny proportions. I have ticked responsive in the form settings. This makes absolutely no difference.


    Looking forward to your reply.

    Regards, Brian


  • Profile Image
    Answered on May 31, 2016 at 08:51 AM

    Our forms will submit by using HTTPS as the form's submission page, which means that the form will always try to submit securely.

    However, due to technical reasons and many kinds of attacks that can be carried against a HTTP website (such as man-in-the-middle inserting malicious scripts into your site), when the form is used on a HTTP website, it can only be considered a fully secure form if the user is using a direct HTTPS link to access that form.

    You can see direct link to your form by clicking on the Publish button:

    Next best thing is the iFrame embed method, as iFrame will sandbox the form and prevent most interactions between scripts of the website and scripts of the form:


    Any other embed methods will be vulnerable to attacks that may be performed against a HTTP website, so would not be secure on a HTTP website.

    Since your second question is not related to embedding a form securely on a HTTP website, it has been moved to a separate support thread:


    We will be assisting you with that other issue there, shortly. Thank you.

  • Profile Image
    Answered on June 09, 2016 at 11:18 AM

    I'd like to clarify something, because I think I'm reading something different about the security of your forms on a different thread, but maybe Im misunderstanding things. In this thread below, support is saying that the embeeded form will still be "as secure as possible, even if the site isnt HTTPS."  



    However, this thread seems to be saying that even by doing all of those things, a form on an HTTP site still wont be as secure as a form on an HTTPS site. Im asking because Im doing an online mortgage application for a client, and the form asks for things like social security number, etc.

  • Profile Image
    Answered on June 09, 2016 at 12:37 PM

    I'm afraid there may be slight confusion, so I'll try to clarify. Our form will always submit the response in a secure manner, which is what my colleague referred to on the other thread - the form response will be submitted over HTTPS even if the form is embedded on a HTTP website.

    That is not the security issue that is being described here. The security issue is that a HTTP website is inherently vulnerable to attacks, which means that a person can perform a man-in-the-middle attack against your HTTP website and steal users' information before it is ever submitted to our servers.

    Our form on its own submits the data securely, but if it is used on an insecure HTTP website, such insecure HTTP website can be attacked at any time an there is no sensible way for users to detect such an attack. For example, I would recommend reading through the following question on security.stackexchange.com:


    The first response perfectly describes the vulnerability of HTTP sites. When you embed our secure form on an insecure (HTTP) website, and attacker can easily edit the HTTP website and place anything else instead of our original secure form. They can place their own phishing form instead.

    The above is about the safest way to embed the form, which is the Iframe embed method.

    The problem becomes much worse for the script embed codes, since in that case scripts of the HTTP website can access anything the form itself can. This means that an attacker doesn't need to replace the form when it is embedded in this manner, but merely inject their malicious script that can collect your keystrokes, and know everything you have submitted on our form.

    So while our forms are always trying to be as secure as possible, if embedded on an insecure HTTP website, the form cannot be considered as secure and sensitive data should not be collected there. If your website is HTTP only, then it would be best to use direct links to your secure Jotform forms, rather than embedding them.

    If you need further clarifications, please let us know.