Your contact form is a security hole (and how to close it)

Your contact form is the most interactive part of your website. It accepts user input, processes it, and typically stores it somewhere or sends it via email. Every one of those steps is a potential vulnerability. Most contact forms on Moroccan websites have at least three of the following problems, and each one can be exploited.

Problem 1: No input validation

If your form accepts anything a user types without checking it, you're vulnerable to injection attacks. SQL injection (inserting database commands via form fields), XSS (inserting JavaScript that runs when you view the submission), and email header injection (using your form to send spam to others) all exploit unvalidated input.

Fix: Validate every field. Name fields should only accept letters and spaces. Email fields should match email format. Message fields should be sanitized: strip HTML tags and special characters. Never insert raw user input into database queries or email headers.

Problem 2: No spam protection

Without spam protection, your contact form will receive hundreds of spam submissions per day. Spambots scan the web for forms and submit automated junk: pharmaceutical ads, phishing links, and SEO spam. Some of these submissions contain malicious payloads.

Fix: Implement one or more: a honeypot field (hidden field that humans cannot see but bots fill out), reCAPTCHA or Turnstile (Cloudflare's privacy-friendly alternative), rate limiting (max 3 submissions per IP per hour), or server-side validation that rejects submissions with suspicious patterns.

Problem 3: Form submissions sent via unencrypted email

Many Moroccan websites process contact form submissions by sending an email to the business owner. If the email is sent via an unencrypted SMTP connection, the submission data (including the customer's name, email, and message) travels across the internet in plain text.

Fix: Use encrypted SMTP (TLS) for form notification emails. Better: store submissions in a database and access them via a secure dashboard. Never include sensitive information (phone numbers, addresses) in plain-text email subjects.

Problem 4: No CSRF protection

Cross-Site Request Forgery (CSRF) attacks trick a user's browser into submitting your form without their knowledge. An attacker creates a page with a hidden form that posts to your contact form URL. When a logged-in user visits the attacker's page, the form submits automatically.

Fix: Include a CSRF token (a unique, random string generated for each form load) that must be present in the submission. If the token is missing or invalid, reject the submission. All modern frameworks (Next.js, Laravel, Django) have built-in CSRF protection.

Problem 5: No rate limiting

Without rate limiting, an attacker can submit your form thousands of times per minute. This floods your inbox, can crash your server, and if your form sends confirmation emails, it can be used to spam third parties via your email system.

Fix: Limit form submissions to 3–5 per IP address per hour. Use progressive delays: each subsequent submission within a short time period takes longer to process. Block IPs that exceed the limit.

The secure contact form checklist

Input validation on every field. Spam protection (honeypot + CAPTCHA). Encrypted email delivery (TLS). CSRF token verification. Rate limiting per IP. HTTPS on the form page (no form should ever be served over HTTP). Server-side validation (never rely only on client-side). Minimal data collection: do not ask for information you do not need.

For the broader security picture, see how Moroccan websites get hacked. For data privacy requirements, see Loi 09-08 compliance. If your forms need fixing, let's secure them properly.