Form Security Auditor
Last updated:
Scans every form on any webpage for security misconfigurations. Detects missing CSRF tokens, password fields without proper autocomplete attributes, forms submitting over HTTP, hidden fields containing sensitive data, missing input validation, and other common form security issues.
Drag to your bookmarks bar:
📝 Audit FormsRuns on any website — all processing in your browser.
Install the bookmarklet, then use it on any website
Form Security Auditor
Web forms are primary attack vectors — they accept user input and transmit it to servers. Misconfigurations like missing CSRF tokens, insecure submission URLs, and exposed hidden fields create exploitable vulnerabilities.
- CSRF Token
- A unique, unpredictable value included in forms to prevent cross-site request forgery attacks.
📝 Form Security Auditor — FAQ
What is a CSRF token?
A hidden field containing a unique value that verifies the form submission originated from the legitimate site, not from a malicious third-party page.
Why flag password fields without autocomplete?
Explicit autocomplete attributes tell browsers how to handle credential storage. Without them, browser behavior is inconsistent and may cache passwords insecurely.
Does this test form submission?
No — it only inspects the HTML structure. It does not submit forms or test server-side validation.
Why check hidden fields?
Developers sometimes put API keys, internal IDs, or debug data in hidden fields, visible to anyone who views source.
Can this find SQL injection?
No — SQL injection requires server-side testing. This tool identifies client-side form misconfigurations only.