[{"data":1,"prerenderedAt":443},["ShallowReactive",2],{"blog-prompts/secure-forms":3},{"id":4,"title":5,"body":6,"category":422,"date":423,"dateModified":424,"description":425,"draft":426,"extension":427,"faq":428,"featured":426,"headerVariant":429,"image":428,"keywords":428,"meta":430,"navigation":431,"ogDescription":432,"ogTitle":428,"path":433,"readTime":428,"schemaOrg":434,"schemaType":435,"seo":436,"sitemap":437,"stem":438,"tags":439,"twitterCard":441,"__hash__":442},"blog/blog/prompts/secure-forms.md","Secure Form Handling with AI Prompts",{"type":7,"value":8,"toc":412},"minimark",[9,16,21,24,91,95,98,170,180,184,187,244,248,251,333,342,358,362,365,386,400],[10,11,12],"tldr",{},[13,14,15],"p",{},"Forms are primary attack vectors. Protect them with CSRF tokens, server-side validation, rate limiting, and honeypot fields for bots. Autocomplete attributes help password managers, and proper input types improve mobile UX. These prompts help you build secure forms.",[17,18,20],"h2",{"id":19},"form-security-essentials","Form Security Essentials",[13,22,23],{},"Copy this prompt to have your AI audit and harden your HTML forms. You'll get updated markup with CSRF tokens, honeypot fields, proper autocomplete attributes, and a matching server-side handler.",[25,26,28,31,34,56,59,74,77,88],"prompt-box",{"title":27},"Secure Form Setup",[13,29,30],{},"Review my forms and add security best practices.",[13,32,33],{},"For each form, ensure:",[35,36,37,41,44,47,50,53],"ol",{},[38,39,40],"li",{},"method=\"POST\" for data-changing forms",[38,42,43],{},"CSRF token included and validated",[38,45,46],{},"autocomplete attributes set correctly",[38,48,49],{},"Input types match data (email, tel, number)",[38,51,52],{},"Server-side validation matches client-side",[38,54,55],{},"Error messages don't leak information",[13,57,58],{},"Security additions:",[60,61,62,65,68,71],"ul",{},[38,63,64],{},"Add honeypot field for bot detection",[38,66,67],{},"Rate limit submissions per IP",[38,69,70],{},"Log form submissions (without passwords)",[38,72,73],{},"Validate file uploads if present",[13,75,76],{},"For login forms specifically:",[60,78,79,82,85],{},[38,80,81],{},"autocomplete=\"username\" on username field",[38,83,84],{},"autocomplete=\"current-password\" on password",[38,86,87],{},"Don't reveal if username exists in errors",[13,89,90],{},"Show updated HTML and server-side handler.",[17,92,94],{"id":93},"csrf-protection","CSRF Protection",[13,96,97],{},"Use this prompt to generate CSRF token handling for your framework. Your AI will produce token generation, hidden field injection, server-side validation, and SameSite cookie configuration.",[25,99,101,104,111,114,128,131,134,142,145,159,162],{"title":100},"Add CSRF Tokens",[13,102,103],{},"Implement CSRF protection for all my forms.",[13,105,106,107],{},"Framework: ",[108,109,110],"span",{},"Next.js/Express/Django",[13,112,113],{},"CSRF flow:",[35,115,116,119,122,125],{},[38,117,118],{},"Generate unique token per session",[38,120,121],{},"Include token in form (hidden field or header)",[38,123,124],{},"Validate token on form submission",[38,126,127],{},"Reject if missing or mismatched",[13,129,130],{},"For traditional forms:",[13,132,133],{},"For AJAX/fetch:",[60,135,136,139],{},[38,137,138],{},"Send token in X-CSRF-Token header",[38,140,141],{},"Or include in request body",[13,143,144],{},"Token generation:",[60,146,147,150,153,156],{},[38,148,149],{},"Cryptographically random",[38,151,152],{},"Bound to user session",[38,154,155],{},"Regenerate on login",[38,157,158],{},"Expires with session",[13,160,161],{},"Also check:",[60,163,164,167],{},[38,165,166],{},"SameSite cookie attribute (additional CSRF defense)",[38,168,169],{},"Referer/Origin header validation (supplementary)",[171,172,173],"warning-box",{},[13,174,175,179],{},[176,177,178],"strong",{},"GET requests should never change data:"," CSRF protection typically only applies to POST/PUT/DELETE. If your GET endpoints modify data, attackers can CSRF them via image tags regardless of tokens.",[17,181,183],{"id":182},"bot-and-spam-prevention","Bot and Spam Prevention",[13,185,186],{},"This prompt asks your AI to add multi-layered bot protection to your forms. You'll get honeypot fields, time-based validation, JavaScript tokens, and rate limiting rules ready to drop in.",[25,188,190,193,196,213,216,219,222,233,236],{"title":189},"Add Bot Protection",[13,191,192],{},"Add bot and spam protection to my forms.",[13,194,195],{},"Techniques:",[35,197,198,201,204,207,210],{},[38,199,200],{},"Honeypot field (hidden field bots fill)",[38,202,203],{},"Time-based validation (too fast = bot)",[38,205,206],{},"JavaScript token (bots often don't run JS)",[38,208,209],{},"Rate limiting per IP",[38,211,212],{},"CAPTCHA for high-value forms",[13,214,215],{},"Honeypot implementation:",[13,217,218],{},"On server:\nif (formData.website) {\n// Bot detected - silently reject or log\nreturn { success: true }; // Don't reveal detection\n}",[13,220,221],{},"Time-based:",[60,223,224,227,230],{},[38,225,226],{},"Include timestamp in hidden field",[38,228,229],{},"Reject if submitted in \u003C 3 seconds",[38,231,232],{},"Reject if submitted after > 1 hour",[13,234,235],{},"Rate limiting:",[60,237,238,241],{},[38,239,240],{},"Max 5 submissions per minute per IP",[38,242,243],{},"Max 20 per hour for same email",[17,245,247],{"id":246},"accessible-password-fields","Accessible Password Fields",[13,249,250],{},"Copy this prompt to generate secure, accessible password form fields. Your AI will create inputs with proper autocomplete attributes, a show/hide toggle, a strength meter, and clear requirements display.",[25,252,254,257,260,277,280,291,294,305,308,319,322],{"title":253},"Secure Password Inputs",[13,255,256],{},"Create secure and accessible password form fields.",[13,258,259],{},"Password input should have:",[35,261,262,265,268,271,274],{},[38,263,264],{},"type=\"password\" (masks input)",[38,266,267],{},"autocomplete attribute (helps password managers)",[38,269,270],{},"Show/hide toggle (accessibility)",[38,272,273],{},"Strength meter (user feedback)",[38,275,276],{},"Clear requirements list",[13,278,279],{},"Autocomplete values:",[60,281,282,285,288],{},[38,283,284],{},"Login: autocomplete=\"current-password\"",[38,286,287],{},"Registration: autocomplete=\"new-password\"",[38,289,290],{},"Change password: both fields appropriately",[13,292,293],{},"Show/hide toggle:",[60,295,296,299,302],{},[38,297,298],{},"Button to toggle type between password/text",[38,300,301],{},"aria-label updates based on state",[38,303,304],{},"Don't use checkbox (poor UX)",[13,306,307],{},"Password requirements display:",[60,309,310,313,316],{},[38,311,312],{},"Show requirements before user types",[38,314,315],{},"Update checkmarks in real-time as user types",[38,317,318],{},"Clear visual feedback (colors, icons)",[13,320,321],{},"Don't:",[60,323,324,327,330],{},[38,325,326],{},"Disable paste (breaks password managers)",[38,328,329],{},"Mask with asterisks only (use proper type)",[38,331,332],{},"Auto-clear on failed submission",[334,335,336],"tip-box",{},[13,337,338,341],{},[176,339,340],{},"Pro tip:"," Test your forms with a password manager. If it can't fill credentials correctly, users will choose weaker passwords or reuse them. Proper autocomplete attributes matter.",[343,344,345,352],"faq-section",{},[346,347,349],"faq-item",{"question":348},"Do I need CSRF protection if I use JWT?",[13,350,351],{},"If JWTs are sent in Authorization headers, CSRF isn't possible (headers can't be set cross-origin). But if JWTs are in cookies, you still need CSRF protection.",[346,353,355],{"question":354},"Honeypot vs CAPTCHA?",[13,356,357],{},"Honeypots are invisible to users (better UX) but only catch dumb bots. CAPTCHAs stop sophisticated bots but hurt UX. Use honeypot first, add CAPTCHA only if spam persists.",[17,359,361],{"id":360},"further-reading","Further Reading",[13,363,364],{},"Want to understand the vulnerability before fixing it? These guides explain what's happening and why.",[60,366,367,374,380],{},[38,368,369],{},[370,371,373],"a",{"href":372},"/blog/vulnerabilities/exposed-api-keys","Understanding exposed API keys",[38,375,376],{},[370,377,379],{"href":378},"/blog/how-to/hide-api-keys","How to hide API keys step-by-step",[38,381,382],{},[370,383,385],{"href":384},"/blog/best-practices/secrets","Secret management best practices",[387,388,389,395],"related-articles",{},[390,391],"related-card",{"description":392,"href":393,"title":394},"In-depth CSRF guide","/blog/prompts/add-csrf-protection","Add CSRF Protection",[390,396],{"description":397,"href":398,"title":399},"Form validation patterns","/blog/prompts/validate-client-input","Validate Client Input",[401,402,405,409],"cta-box",{"href":403,"label":404},"/","Start Free Scan",[17,406,408],{"id":407},"check-your-form-security","Check Your Form Security",[13,410,411],{},"Scan your forms for missing protections.",{"title":413,"searchDepth":414,"depth":414,"links":415},"",2,[416,417,418,419,420,421],{"id":19,"depth":414,"text":20},{"id":93,"depth":414,"text":94},{"id":182,"depth":414,"text":183},{"id":246,"depth":414,"text":247},{"id":360,"depth":414,"text":361},{"id":407,"depth":414,"text":408},"prompts","2026-02-24","2026-03-06","AI prompts to secure your HTML forms. Implement validation, CSRF protection, honeypots, and rate limiting to prevent form abuse and attacks.",false,"md",null,"cyan",{},true,"AI prompts to implement secure form handling and validation.","/blog/prompts/secure-forms","[object Object]","BlogPosting",{"title":5,"description":425},{"loc":433},"blog/prompts/secure-forms",[440],"Frontend","summary_large_image","CS6z4Tvs5H50YlZAP-NWz33IXSI2empzE_1F83VLTWc",1775843938403]