Webforms and Security: Three things worth repeating

"Security" by Henri Berguis

“Security” by Henri Berguis

Webforms are among the most powerful tools in the WMS, but with great power comes great responsibility.

Here are 3 things to bear in mind when using a webform on your site.

1. It’s never too late to authenticate.

Wherever possible require users to sign in – this is your first and best defence against spam.

This can be done by unchecking “anonymous user” from the Submission Access settings and selecting only the role(s) that should be allowed to submit the form.

2. It’s worth your while to use Private Files.

If you are using a File component to enable your users to send files, set the Upload destination to “Private files.”

This ensures that files reside in a secure, private directory on your site that can only be accessed by people with the correct permissions.

3. No sign in? Don’t let spam in.

If your form needs to be available without a sign in (e.g., to users from outside the McGill community), make sure to avoid certain components to ensure that your site and users are protected:

  • File Upload fields which can be used to upload malicious files to the site
  • Text Area fields which can be used to disseminate spam content
  • Email Address fields which can also be exploited for spam

You should also avoid sending submission confirmation emails that contain sensitive or personal information such as McGill IDs and other personal information. You can always glean this information from the Submissions tab.

These three things to remember when you are working with webforms should go a long way towards ensuring that your WMS site remains secure and your visitors protected from spam or other malicious content.

For more information, see KB Article #2711: Create Forms in the Web Management System


Comments are closed.

Blog authors are solely responsible for the content of the blogs listed in the directory. Neither the content of these blogs, nor the links to other web sites, are screened, approved, reviewed or endorsed by McGill University. The text and other material on these blogs are the opinion of the specific author and are not statements of advice, opinion, or information of McGill.