Form security is a constant topic at Formsite and a daily source of questions. Regardless of the type or amount of information being collected, secure forms are provided to every account at every service level.
The most common questions we receive about secure forms include:
- How do I know if I have secure forms?
- What is the Secure Form setting?
- Are embedded forms secure?
- What is ‘Security Compliance’?
- Who needs HIPAA-compliance?
How do I know if I have secure forms?
Websites are secured by using an SSL certificate, and the connection is secured when that security certificate is used to create your connection. The main visual attributes that indicate secure forms are:
|Starts with ‘https’||Does not start with ‘https’|
|Browser displays a lock||Browser displays no lock|
All Formsite form links are provided using the secure ‘https’ link prefix for all forms and service levels. By default, forms are also accessible with the non-secure ‘http’ prefix, which can be disabled by using the Secure Form setting.
What is the Secure Form setting?
Located on the Form Settings -> Security page, enabling the Secure Form setting:
- Prevents access to the form by the non-secure ‘http’ links
- Requires a password for all newly-created Reports
- Displays warnings next to settings with potentially insecure actions
For example, if the form contains items that collect potentially sensitive information and the Secure Form setting is enabled, the system will prevent access to the secure forms by the non-secure ‘http’ address, and a warning will appear on the Notifications page as a reminder to use the Secure Link format instead of sending the information through email.
Are embedded forms secure?
The embed code inserts an iframe ‘window’ in the host site and displays the form through the window. The default embed code uses the ‘https’ address for secure forms, and continues to protect the information entered into forms regardless of whether the host site is secure or non-secure.
In other words, if the embedded form uses ‘https’ then yes, the form is secure.
Do I need an SSL certificate?
The SSL certificate is the security method used to protect the connection and is what makes Formsite forms secure. Since all Formsite forms are protected with Formsite’s SSL certificate, no, the embedding site does not need an additional SSL certificate.
Can I use a different site’s SSL certificate?
The embedding site can use a SSL certificate to secure the host site, but it’s not possible to use a custom SSL certificate with Formsite forms.
What is ‘Security Compliance’?
The detailed pricing page shows that Pro 3 and higher service levels have the ‘Security Compliance’ settings. These features include the ability to use two-factor authentication to further protect the main account and Sub-user accounts, and the application of the 99.9% Service Level Agreement.
Who needs HIPAA-compliance?
The HIPAA features are provided at the Enterprise service level after the BAA has been completed by both organizations and enabled in the Formsite account. HIPAA is a healthcare-oriented program to provide enhanced protection for personal healthcare information, and is typically needed by organizations that collect protected information.
For more information about our HIPAA services, visit our HIPAA compliant forms page.