FormTools stores collected form submissions and often sits behind custom web forms. Security should focus on admin UI protection, input sanitization, and patching known XSS issues.
¶ 1) Protect admin UI and submission-management access
- Restrict admin panel to trusted users and networks.
- Enforce strong admin passwords and rotate regularly.
- Disable unused modules and stale admin accounts.
- Log permission changes and export/download actions.
¶ 2) Patch and mitigate known XSS risk
- Track vulnerabilities affecting Form Tools versions.
- Upgrade beyond vulnerable versions for known user-settings XSS issue (CVE-2024-6935 affecting 3.1.1).
- Validate output encoding on custom template/pages after upgrades.
- Apply WAF rules and strict Content Security Policy at reverse proxy where possible.
¶ 3) Secure storage and submission privacy
- Keep database private and enforce least-privilege DB credentials.
- Restrict upload types and sizes for file submission fields.
- Encrypt backups containing responses and contact data.
- Define retention policy for old submission data.
- FormTools docs: https://docs.formtools.org/
- FormTools source repository: https://github.com/formtools/core
- NVD CVE-2024-6935 entry: https://nvd.nist.gov/vuln/detail/CVE-2024-6935
Any questions?
Feel free to contact us. Find all contact information on our contact page.