Form Security
Checks forms for HTTPS action, CSRF tokens, and autocomplete attributes.
What this check measures
We enumerate `<form>` tags and check: action URL is HTTPS (or same-origin), login/payment forms include a CSRF token or SameSite-protected session, password fields use `autocomplete="current-password"` or `new-password`.
Why it matters
Insecure form actions submit credentials over HTTP. Missing CSRF tokens allow attackers to trigger authenticated actions on behalf of logged-in users. Wrong autocomplete disables password manager integration, leading users to weak passwords.
How our audit detects it
Parse form tags, check action attribute protocol, look for hidden CSRF input or Origin/Referer validation, validate autocomplete on password inputs.
Typical findings
- error_outlineLogin form action points to http:// URL.
- error_outlineNo CSRF token on a state-changing form, no SameSite cookie.
- error_outlinePassword field has autocomplete="off" — blocks password managers.
How to fix
Force all forms to submit over HTTPS. Add CSRF tokens for state-changing forms (or rely on SameSite=Lax/Strict session cookies). Use proper autocomplete values for accessibility and password manager support.
Frequently asked questions
Do I need CSRF tokens with SameSite cookies?expand_more
Want this checked on your site?
Pantra runs the full audit (SEO, Security, GEO, Performance, Schema, Technical, Images) in 10 seconds and generates stack-specific fix prompts.
Scan my siteRelated checks
HTTPS Enabled
Checks that the site serves over HTTPS and redirects HTTP to HTTPS.
SecurityTLS Version
Checks that the server uses TLS 1.2 or higher — older versions are broken.
SecurityMixed Content
Checks for HTTP resources loaded on HTTPS pages — browsers block or warn.
SecuritySSL Certificate
Checks that the SSL certificate is valid, not expired, and not expiring soon.