While having a form on an HTTP page is a major security flaw, an equally critical issue is having a form that submits to an insecure (HTTP) URL. The `action` attribute of a `<form>` tag tells the browser where to send the user’s data. If this URL is not encrypted with HTTPS, any sensitive information submitted through the form can be intercepted by attackers. This is a major security vulnerability that can damage your users’ trust and your website’s reputation.

Think of your form’s `action` URL as the destination for your armored truck. Even if the truck is secure (the page is HTTPS), if you send it to an unlocked, unsecure warehouse (an HTTP URL), the contents are still at risk. For a deeper dive into the world of website security, see our article on the security category.

An illustration of an unlocked padlock, symbolizing the importance of fixing insecure form URLs.

Why Insecure Form Actions Are a Problem

Submitting data to an unencrypted endpoint is a fundamental security anti-pattern. As detailed in this guide from OWASP, insufficient transport layer protection is a major vulnerability.

  • Data Interception: Any data submitted—passwords, credit card numbers, personal information—can be read by anyone monitoring the network.
  • Browser Warnings: Modern browsers will display prominent security warnings when a form on an HTTPS page attempts to submit to an HTTP URL. This is a major red flag for users and can lead to form abandonment.
  • SEO: A secure website is a trustworthy website. Security issues like this can indirectly harm your SEO by creating a poor user experience and eroding trust.

How to Secure Your Form Submissions

Fixing an insecure form URL is a simple but important task. The fix is to ensure that the `action` attribute of your `<form>` tag always points to a secure HTTPS URL.

<!-- Before: Insecure form action -->
<form action="http://example.com/submit-form" method="post">
 ...
</form>
<!-- After: Secure form action -->
<form action="https://example.com/submit-form" method="post">
 ...
</form>

For more on the importance of a well-structured website, check out this guide to HTTPS from Google.

An illustration of a checklist, symbolizing the importance of making sure your website is free of insecure form URLs.

Frequently Asked Questions

What are insecure form URLs?

Insecure form URLs are when you have a form on your website that submits to an HTTP URL. This is a major SEO issue, as it can make your website vulnerable to hackers and other malicious actors.

Why are insecure form URLs important?

Insecure form URLs are important because they can make your website vulnerable to hackers and other malicious actors. They can also be a frustrating experience for users, as they may not be able to trust your website.

How do I fix insecure form URLs?

There are a variety of different things that you can do to fix insecure form URLs. You should start by using an SEO audit tool like Creeper to identify any pages with insecure form URLs. Once you’ve identified the pages, you can take steps to fix them.

Ready to secure your pages? Start your Creeper audit today and see how you can improve your website’s security.