Webform is a visual form building tool that allows for great flexibility.
The community documentation provides a great starting point. We want to highlight the following resources as well:
When crafting forms it is important to consider potential ways they may be abused. If you have forms accessible to the public please review the settings and configuration before publishing the form. These settings are within the webform configuration pages.
- Ensure that all file upload fields have the allowed file extensions restricted to only the necessary type, e.g. docx, pdf, jpg, etc
- Only allow more extensions if necessary
- Anonymous (public) file submissions should be stored in the private filesystem. This ensures that anonymous users cannot use websites as a free file hosting platform for spam or malware.
Webform and Contact Forms
- Ensure Honeypot spam filtering for all public-facing forms is enabled:
- https://sitename.wwu.edu/admin/structure/webform/config: under "third party settings", check that protection for all webforms is on.
- If possible, avoid configurations that send user input in the email body, subject, or recipient fields
- Avoid configurations that deliver email to a user provided email address
- Submission-triggered emails should be delivered to a hard-coded set of addresses