Keep Out! How to Maximize Your Form’s Security

Written by Amy Jorgenson on June 24, 2013

Posted in Form Hacks, IT + Security

Collecting top secret information?  As I write this, the song “Secret, agent man…” is playing in my head. So load it and sing along too as you explore the Formstack security features in this post.

With Formstack’s available security features, it is easy to create a totally secure form and protect your collected data as well. We offer the ability to enable password-only form access, SSL, PGP Email Encryption, Database Encryption, and CAPTCHA. Not all are necessary, unless you are collecting and storing sensitive information, but if you are, then you need to know about them so you don’t risk violating our terms of service!

All of the Security Settings can be found under the Settings > Security tab of the form, except for CAPTCHA, which you can find under the Form Extras tab when in Build mode.

Password Protect Your Form:
If you enable password protection, individuals will be prompted to enter a password upon visiting your form URL and will only be allowed access if they enter the password that you set and provide. This password is universal across the entire form and cannot be personalized for individual instances. To enable password only access on your form, go to Settings > Security and click “yes” next to “Use Password.”

SSL (Secure Sockets Layer):
SSL is a protocol for providing secure communications on the Internet. SSL provides for the authentication and encryption of traffic between your browser and Internet servers. If you are collecting sensitive, identifying information including, but not limited to, social security and credit card numbers, you MUST enable SSL.

To enable SSL on your form, go to Settings > Security and click “yes” next to SSL. After enabling this feature, you will notice that the original “http” in the Formstack hosted URL will change to “https”, which stands for HyperText Transfer Protocol Secure, which let’s you know the site is secure.

If you enable SSL on your form and you embed it on a website does not have SSL enabled, your form will still be secured by Formstack, even though the URL on the embedded website will not display the “https”.

When you enable SSL, you can display a “Form Secured by Formstack” logo at the bottom of your form. To display this logo, click on “Form Extras” when in Build mode. Then, click on “Secure Logo” and check the box to “Show Secure Logo”.


  • If you embed a non-secure form on a secure website, it may not display. In this case, enable SSL.

Encrypt Notification Emails with PGP:
PGP (Pretty Good Privacy) is a program for encrypting and decrypting email based on the OpenPGP standard. PGP encryption on email notifications is necessary if you are sending sensitive, identifying information including, but not limited to, social security numbers and credit card numbers.

PGP support is available in many popular email applications through 3rd-party PGP programs. Here are some of the free 3rd-party plugins available for widely used email applications:

To enable PGP email encryption on your form, go to Settings > Security and click “yes” next to “Encrypt Notification Emails with PGP” and copy and paste your public key into the Public PGP Key field.

Encrypt Saved Data:
Database encryption is necessary if you are storing sensitive, identifying information including, but not limited to, social security numbers and credit card numbers. When you choose to encrypt your data,  public and private keys are generated and stored with your form. To encrypt your database, go to Settings > Security and click “yes” next to Encrypt Saved Data. You will be prompted to set a password.

Your password encrypts the private key, which will be used to decrypt the data. The public key is used to encrypt the data when saved in the database. Your encryption password is not saved on the server in plain text, so it’s not possible for anyone to access or decrypt the information without knowing your encryption password.


  • File attachments are not encrypted.

  • REMEMBER YOUR PASSWORD! If you lose this password, we can reset the database, but we will not be able to retrieve your data.

Enabling CAPTCHA is not necessary. CAPTCHA is basically jumbled text placed at the bottom of your form as an extra measure of protection against SPAM. All Formstack forms have built in technology to prevent SPAM, but CAPTCHA is just one more layer of protection to fend off those bad guys! To enable CAPTCHA, go to Build > Form Extra > CAPTCHA and click to “use CAPTCHA”.


  • CAPTCHA typically doesn’t play well with Internet Explorer

  • Enabling CAPTCHA will make your form section 508 non-compliant

With the features above, you will be able to collect and store information security. To learn more about Formstack’s security, check out the Formstack Support Knowledge Base and/or fill out our Security Information Request form and you will be given a copy of our detailed Security Document.

“Secret agent man, secret agent man….”

Any questions or suggestions? Let us know in the comments below!

(Featured Image Source)