Security/SSL options.

Gravity Support Forums » General » Feature Requests

Josh
Member

Specifically 2 things:

1) The ability to choose to redirect users to ssl version of the page/form (checkbox option on the form config would work).

2) The ability to restrict form fields from being emailed. Absolute Form Processor .NET will encrypt specific fields and not include them on the email. The form admin has to visit the backend to access the encrypted info. This is particularly useful to us as we take SSN and student ID information in forms. Today our admissions application is handled this way and admissions staff log into the backend to get the full student data.

Posted 14 years ago on Tuesday August 25, 2009 | Permalink
Carl Hancock
Administrator

Hello Shelley,

- The require SSL is a great idea. I will add that to our list of features we pull from for future releases. You can be sure it will be added in the future.

- Currently you are in complete control of what fields are included in the notification email if you opt to include them individually when creating the notification email. The all fields functionality will display all fields. I will add the ability to exclude a field in the all fields notification slug to the future feature list as mentioned above.

Great ideas!

Carl

Posted 14 years ago on Wednesday August 26, 2009 | Permalink
Carl Hancock
Administrator

Forgot to mention I am also noting your request to add encryption on a field by field basis so that the data is encrypted when stored in the database.

Posted 14 years ago on Wednesday August 26, 2009 | Permalink
Josh
Member

Excellent! As for the exclusion/inclusion concept: we have VERY long forms in some cases (the admissions application, for instance) and it would be incredibly painful to *include* each applicable field vs. *excluding* the 2 or 3 that may need to be left out of the email.

Just food for thought.

Posted 14 years ago on Friday August 28, 2009 | Permalink
Josh
Member

Thought I'd bump this, I'd love to see where SSL (and possibly encrypt) is on the roadmap.

Posted 14 years ago on Sunday November 1, 2009 | Permalink
Josh
Member

Bumping again. I have forms that need SSN submitted...having to use old ugly form system on second server to accomplish. Blech.

Posted 14 years ago on Friday December 11, 2009 | Permalink
Carl Hancock
Administrator

So what you would like is an option on the form settings to force the url to be SSL so that the page being loaded is secure when the form is submitted?

So it would work like this...

- Checkbox in Form Settings to force SSL

- User visits page via non-SSL http:// address

- Form detects the page load is not secure and automatically redirects to the same page but using https:// to load the page securely.

- If user visits page via https:// url then there is no change as it is already secure.

Keeping in mind that the site would have to have a certificate installed for this to work.

Is this what you are looking for as far as SSL goes?

Posted 14 years ago on Friday December 11, 2009 | Permalink
Josh
Member

Exactly, the only addition would be that the form would need to submit via the https:// url as well.

That would rock a lot. I'm pushing to get WP/MU also SSL friendly in much the same way, an SSL URL in settings and a per-page/post "force ssl" option.

Posted 14 years ago on Friday December 11, 2009 | Permalink
Chris Hajer
Key Master

I have a need for SSL as well for one particular page, and I ran across this template_redirect solution at wordpress.org:

http://wordpress.org/extend/ideas/topic.php?id=2138#post-14159

If you add that to your theme's functions.php and change the page ID (or IDs), it redirects an http page to https page. The form submits to the same page, so it remains https as well.

I was also able to force on particular page to https using .htaccess.

None of these solutions are ideal since they're all manually maintained, but they do get the job done if you need it.

Posted 14 years ago on Monday December 14, 2009 | Permalink
reg
Member

illinoisharley

Is this self contained to your site if implemented....data is not redirected somewhere else to have https? Any certificates needed on the host?

Posted 14 years ago on Wednesday January 27, 2010 | Permalink
Carl Hancock
Administrator

Data is on your site, if you want the form to be secure you will need a certificate associated with and installed on your web host.

Posted 14 years ago on Wednesday January 27, 2010 | Permalink
hansen-oest
Member

Any development news on this topic?

Does somebody have a link for a handy instruction on how to force ssl on a single form site via .htaccess?

Posted 13 years ago on Tuesday May 11, 2010 | Permalink
Kevin Flahaut
Administrator

This might be helpful..

http://www.webmasterworld.com/apache/3507002.htm

Posted 13 years ago on Tuesday May 11, 2010 | Permalink
Brett Weaver
Member

This thread seems to address exactly what I need to do. I have a client who wanted a housing rental application form that collects SSN, income and credit info. I have installed the WPSSL plugin to handle redirects and I have made modifications to the files so that all calls to javascript, css and images are to the https versions, so my page is showing as secure (padlock icon verifies).

What do I need to do to make sure the data is SUBMITTED securely? Or will it be submitted securely since the page is secure? I know I don't need to include any sensitive fields in the notification email. Anything else?

Posted 13 years ago on Friday August 20, 2010 | Permalink
Carl Hancock
Administrator

If the page is secure via SSL it will submit securely. It submits to itself.

Posted 13 years ago on Friday August 20, 2010 | Permalink
bizlift
Member

Would love to have fields flagged to be stored encrypted in database. SSL is good when submitting SSN & other sensitive info, but it should never be stored in plain-text in database.

Posted 13 years ago on Monday December 13, 2010 | Permalink
Carl Hancock
Administrator

@bizlift This is planned for a future release. It's on or list of features we plan on implementing in 2011 for sure.

Posted 13 years ago on Monday December 13, 2010 | Permalink
bizlift
Member

@carl - thank you sir!

Posted 13 years ago on Monday December 13, 2010 | Permalink
Alex Smith
Member

@Carl - really looking forward to an option to flag certain fields to be encrypted!

In the meantime can I get your thoughts on a couple of things?

1) If I needed to do this (i.e. for a social security number field, etc) before the feature is available in GF, would I just create the form as usual and then go into MySQL and click a magic button to add encryption to that certain field/column?

2) Let's say my confidential field/column in MySQL is encrypted after the form is submitted via SSL... what about viewing the the form submissions in the WP Admin? Should I make my WP Admin only accessible via SSL or would viewing the confidential data in the (password protected) WP Admin be enough?

I completely understand that things are only as secure as my host, WP install and the MySQL DB Server I'm using but really interested in kind of a step-by-step approach you would consider if (for example) a client asked rocketgenius to perform this task using GF.

Thank you for your time! - Alex

Posted 13 years ago on Wednesday December 15, 2010 | Permalink
Alex Smith
Member

Okay... maybe a step-by-step was a lot to ask.

I suppose the biggest curiosity is with encrypting a form field and keeping it safe from prying eyes when viewing it in the WP admin.

Would i need to do anything special within the Gravity Form I create or would it all rely on how the database field is set up?

Just trying to figure out if doing this with GF (1.5) is really more trouble than it's worth at this release point (i.e. if too many things could go wrong, etc).

If so then I could use Wufoo for this specific client but would much rather use GF if all that's needed are a few tweaks.

Thanks! - Alex

Posted 13 years ago on Thursday December 23, 2010 | Permalink
Carl Hancock
Administrator

Encrypting fields isn't database setup related. It's code related.

You would have to use API hooks to encrypt the field value before it is stored in the database, and then you would have to use API hooks to decrypt the field value before it is displayed in the admin, etc.

Right now the capability exists to encrypt the field value, however i'm not 100% sure if the hook exists in the current 1.5 release to be able to decrypt a value before it is displayed in the admin. We are adding it to the 1.5 release, so if it's not there now it will be in the final release.

We do have plans to enable encrypting field values, but it will probably be in a subsequent 1.5 point release after all the hooks are in place.

Posted 13 years ago on Thursday December 23, 2010 | Permalink
Alex Smith
Member

@Carl,

Thanks for the follow up! (it was filtered so just now seeing it;)

Let me see if I have this correct before I get too excited.

Are you saying that once the 1.5 release is available encrypting and decrypting GF form fields can be accomplished via GF API hooks?

If so, would the scenario be something like:

Create the form
Use GF API hooks in functions.php to intercept specifically named form fields (on submission) on that specific form id that needs encrypting and decrypting goodness
Rinse and repeat as needed

Am I on the right track or...?

Thanks for clarifying! - Alex

Posted 13 years ago on Friday December 24, 2010 | Permalink
Carl Hancock
Administrator

@fluid Yes, you are on track. Some of the hooks are already available, however not all of them are in place yet so it isn't yet possible. You can store the data as encrypted values but right now the hooks aren't in place to decrypt them before displaying them in the admin. But we are adding them and they should be in place for the final 1.5 release.

Posted 13 years ago on Monday December 27, 2010 | Permalink
Dante Hamilton
Member

I have an SSLs on most of my WP sites (especially one that is ecommerce) or process form data. My WP login is also https:// and not the standard http:// and this was advised to me from PHPoet guys (makers of PHPurchase) when I tried hard to get the SSL to work in their shopping cart plugin for one site. I was told it was best to use https:// for the WP login (I forget the reason why as told to me). I had one issue in which the lock was unbroken on the SSL and that was because a Google API was using the http:// and all I had to do was go into the Editor and add the "s" since Google also hosted an https:// version of that API. I bought my SSLs from Godaddy.com (Starfield Technologies) and paid about $13 a piece for each one. If you search you can find discount codes or affiliate marketing links that give you these discounts. Get one and load it onto your web host, that is an experience in itself. I use RackSpace Cloud Sites and they walked me through it all including how to find complete documentation on forcing SSL, etc. from their knowledge base (they also just did it for me over the phone and walked me through it so I knew how to do it again). It's not hard once you do it a few times, takes me about 45 minutes to install one now and I must have at least 10.

Posted 13 years ago on Monday December 27, 2010 | Permalink
Alex Smith
Member

@Carl - this is great news! Thanks so much for clarifying!

Once the API hooks are in place will someone be kind enough to give an example on how to implement them? :-D

Also, does/will Gravity Forms v1.5 have any API hooks to force SSL when viewing form data/entries in the admin or would the only option be to make the entire WP Admin only viewable over SSL?

Thanks for answering all of these questions... they're extremely important and it's much appreciated! - Alex

Posted 13 years ago on Tuesday December 28, 2010 | Permalink
Carl Hancock
Administrator

There are no hooks for forcuing SSL in the Gravity Forms admin pages. You would have to use a plugin that forces SSL on the entire admin.

Posted 13 years ago on Tuesday December 28, 2010 | Permalink
swbiggart
Member

Found this plugin to do some of the things people are requesting in this forum. Hope it helps someone out!

Wordpress HTTPS

http://wordpress.org/extend/plugins/wordpress-https/

Posted 13 years ago on Thursday February 3, 2011 | Permalink
adamdunford
Member

I've just downloaded 1.5RC4 and I don't see where/how to encrypt fields; has this been pushed to another release?

Posted 13 years ago on Monday February 28, 2011 | Permalink
Carl Hancock
Administrator

@adamdunford This wasn't being added to 1.5 as an out of the box feature. What was added in 1.5 are the API hooks that make doing this as a customization possible. You would have to write the code to encrypt the data and decrypt the data using the API hooks we are introducing in 1.5 that make it possible to do this. It wasn't possible before.

We do plan on making it a native feature via an Add-On later this year, not part of the core code as it isn't something that is applicable to all users. So it's going to be an Add-On that lets you configure the encryption.

Posted 13 years ago on Monday February 28, 2011 | Permalink
adamdunford
Member

Carl, makes total sense; an Add-On is definitely the way to go (count me in as an interested user!).

Posted 13 years ago on Monday February 28, 2011 | Permalink
blueprintds
Member

Thanks for the Hooks, Carl! We were able to code up an encryption/decryption routine and add checkboxes in the admin for turning it on/off per field.

There are still a few SSL issues when using the [gravityform] shortcode (at least when running the site on Nginx reverse proxy to Apache). The form action was using the http version of the page we were viewing instead of the https version (which is what we had pulled up). We fixed those with a dirty str_replace on the output and there probably is a cleaner way, but I was in a hurry and the site was already live. However, if your intention is to always post a gform back to the page being viewed, you can just output action="" instead of supplying the URL of the page there.

Posted 12 years ago on Saturday April 30, 2011 | Permalink
gajusbd
Member

@blueprintds - any chance you could share how you set-up the encryption/decryption per field?

Posted 12 years ago on Tuesday May 31, 2011 | Permalink
fuscata
Member

A client asked me to encrypt the data being stored by one of their GF forms as described in this thread. They wanted the form values encrypted in the database, a few non-sensitive values added to the notification email and the ability to view the unencrypted values in the admin panel.

The examples on the pages listed below didn't work:
http://www.gravityhelp.com/documentation/page/Gform_save_field_value
http://www.gravityhelp.com/documentation/page/Gform_get_field_value

There were 3 main problems:

1) The admin panel listed decrypted data on the entries list, but encrypted data on the entry details page.

2) Some fields like radio and checkbox values, once encrypted, were too long and truncated in the db, thus impossible to decrypt.

3) Some fields were combined with other values, both encrypted (e.g. First + Last Name) and decrypted (e.g. map link for address fields) when returned for display on the entry details page.

I decided to store radio, checkbox and select values unencrypted as they are unlikely to contain sensitive data. Also, I needed to email some non-sensitive fields, and only encrypt certain forms.

Here's my solution, in case it's helpful to someone:
http://pastebin.com/LbMEDbeR

Posted 12 years ago on Saturday August 6, 2011 | Permalink
Carlos
Member

I wanted to throw our hat in as a group who really needs more secure methods in place for using Gravity Forms.

The SSL business is excellent, but in addition to that we require logging capabilities too. That is, the ability to track who viewed a [sensitive] submitted entry (and that log has to be encrypted, too).

Posted 12 years ago on Sunday August 7, 2011 | Permalink
John Haydon
Member

I'd like to know when a new release comes out that supports these requests....

Posted 12 years ago on Monday August 29, 2011 | Permalink
John Haydon
Member

Can anyone recommend a GF developer who can create a secure form?

Posted 12 years ago on Monday August 29, 2011 | Permalink
scott74
Member

not sure if this helps as someone mentioned above... I have a certificate on a clients site..

I used this simple code to force ssl on wp-amin login and the dashboard area for safe measure

define('FORCE_SSL_ADMIN', true); put in the wp config file..
http://codex.wordpress.org/Administration_Over_SSL

I then had to use the plugin as mentioned above to get the pages to show correctly in google chrome browser without errors..
http://wordpress.org/extend/plugins/wordpress-https/screenshots/

This is the form page https://greenprintlawns.com/easy-pay/

Here were some of the errors that I was getting
http://logoicons.s3.amazonaws.com/httpsadmin.png

I had this error problem in the admin area even with the plugin in chrome browser... It was the logo above the dashboard being http... so just uploaded and hosted the logo at the link below to take care of that..
http://www.sslpic.com/

little off topic there but may as well fix the ssl on the whole site :)

Ps... that wordpress https plugin will give you the option to force ssl on certain pages only.. little buggy though so I just did it globally

have to play with the setting a bit and if using chrome will need to clear cookies and close and reopen browser after making changes
http://logoicons.s3.amazonaws.com/httpssettings.png

Posted 12 years ago on Monday August 29, 2011 | Permalink
Sheila
Member

I have a mortgage and loan client who is in need of an application that requires sensitive information. The application will be sent from his website to the main Mortgage company for review.

Am I right in assuming that, at this point, gravity forms does not have encryption security for the transfer of all data using e-mail notification? Is there some way that can be done?

Posted 12 years ago on Friday September 23, 2011 | Permalink
Carl Hancock
Administrator

Gravity Forms does not encrypt the email notifications.

If you wanted to send the email as an encrypted email you would have to implement your own email functionality as a customization and initiate sending this email when the form is submitted.

So it's possible to do as a customization, but it isn't currently a built in feature.

Posted 12 years ago on Friday September 23, 2011 | Permalink
NTMedia
Member

hey Scott

you posted this:

have to play with the setting a bit and if using chrome will need to clear cookies and close and reopen browser after making changes
http://logoicons.s3.amazonaws.com/httpssettings.png

where are you getting these settings? not showing up in my wordpress at all!

Posted 12 years ago on Wednesday October 19, 2011 | Permalink
Chris Hajer
Key Master

NTMedia, did you install and activate this plugin?

http://wordpress.org/extend/plugins/wordpress-https/

If so, you can access the page directly, if it's not in your menu for some reason, by using this URL for your site:

http://example.com/wp-admin/options-general.php?page=wordpress-https

It's in the Settings > General section of your WordPress admin.

Posted 12 years ago on Wednesday October 19, 2011 | Permalink
NTMedia
Member

yes. when I go to it - it says "You do not have sufficient permissions to access this page."

I created the damn site!

Posted 12 years ago on Wednesday October 19, 2011 | Permalink
Chris Hajer
Key Master

That's the reason it's not showing up in the menu: roles or permissions.

What sort of role or permission plugins are you using? You'll need to give yourself access to the plugin settings, or get with the plugin author to see what the conflict might be.

Posted 12 years ago on Wednesday October 19, 2011 | Permalink
NTMedia
Member

doesn't make sense. I have full control over the site...

Posted 12 years ago on Thursday October 20, 2011 | Permalink
NTMedia
Member

kill this - I was looking at the wrong plugin... got it going.

Posted 12 years ago on Thursday October 20, 2011 | Permalink
Chris Hajer
Key Master

Great. Glad you got it working.

Posted 12 years ago on Friday October 21, 2011 | Permalink
gravity01
Member

Hi, has there been any movement on being able to encrypt fields as an add on.

Posted 11 years ago on Saturday June 9, 2012 | Permalink
stoutdesign
Member

Anything new on being able to encrypt fields as an add on?

Posted 11 years ago on Tuesday September 18, 2012 | Permalink
grahamlindsey
Member

I too am very interested in excluding one or two fields, or automatically encrypting the output to the email (starred-out entries when emailed would be perfect).

The ability to send {all_fields} via email is great (and looks very elegant), but if certain fields could be excluded from the email, that would help keep our customers' information secure by keeping it on our site, and nowhere near email.

As Shelley mentioned in the original post she would be changing the form regularly, and we will too. I don't want to have my client to re-generate the list of fields manually (we've got 220 now, and that will increase to 3-400 next month, with all the values changed).

Allowing us to opt out of a field or two would even mean we don't need the encryption (we use SSL on the site anyway).

Posted 10 years ago on Tuesday May 21, 2013 | Permalink
David Peralty

Nothing new has changed on our end or is currently planned at this time.

Posted 10 years ago on Tuesday May 21, 2013 | Permalink