Skip to main content

Insecure Form Actions.

Security Client-Side Security

Forms submitting to HTTP endpoints expose user data in transit

What does this check test?

This check identifies HTML forms whose `action` attribute points to an insecure HTTP URL, meaning form data (including passwords, personal information, and payment details) will be submitted in plaintext. Even if the page containing the form is served over HTTPS, a form action like `action="http://example.com/login"` will send the submission over an unencrypted connection. This also includes forms with empty or missing action attributes on HTTP pages.

Why does it matter?

Form submissions often contain the most sensitive data on a website — login credentials, credit card numbers, addresses, social security numbers, and medical information. When a form submits to an HTTP endpoint, all of this data is transmitted in plaintext and can be intercepted by anyone on the network path between the user and the server. This is especially dangerous on public Wi-Fi networks. Browsers now display prominent security warnings when forms on HTTPS pages submit to HTTP endpoints, which also erodes user trust.

Who is affected?

Any website with forms that collect sensitive information must ensure form actions point to HTTPS endpoints. Login pages, registration forms, checkout pages, and profile update forms are the most critical. This issue is most common in legacy applications that were partially migrated to HTTPS, sites with hardcoded form actions, and CMS templates that use absolute HTTP URLs. Sites generated by older CMS themes or page builders may contain hardcoded HTTP form actions.

Where does this apply?

Inspect all `<form>` elements on your site and check the `action` attribute. Pay special attention to login forms, search forms, contact forms, and any form collecting personal data. Use browser DevTools' Elements panel to search for `action="http`. Also check dynamically generated forms in JavaScript that may construct form actions at runtime. Test with `document.querySelectorAll('form[action^="http:"]')` in the console.

How to fix it

Update all form actions to use HTTPS:
html 
<!-- Bad: Insecure form action -->
<form action="http://example.com/api/login" method="POST">
  <input type="password" name="password">
  <button type="submit">Login</button>
</form>

<!-- Good: Secure form action -->
<form action="https://example.com/api/login" method="POST">
  <input type="password" name="password">
  <button type="submit">Login</button>
</form>

<!-- Better: Relative URL (inherits page protocol) -->
<form action="/api/login" method="POST">
  <input type="password" name="password">
  <button type="submit">Login</button>
</form>
Use relative URLs for same-origin form actions so they automatically use the page's protocol. For third-party form endpoints, verify the provider supports HTTPS. Add `Content-Security-Policy: upgrade-insecure-requests` as a safety net. Scan your entire site with a crawler to find all forms and verify their actions.

References

AppVet checks Insecure Form Actions automatically

Run a free security scan and get a full report with actionable fixes, including a Fix with AI prompt you can paste into any coding tool.

Run Audit
← All checks