Pages Collecting PII with Forms Using GET report

This report provides information about the pages on your website that contain forms using the GET submission method to collect visitor information. For those pages that contain information that needs to be protected, change the submission method to use the POST method.

Why it matters

When a form is submitted using the GET method, data can be inadvertently transmitted to a third-party website and contravene the website privacy policy. Essentially, the data is passed from the website visitor's computer to the server from a URL. The items entered into the form are contained within this URL in plain text, exposing the information to anyone who has access to the URL. When the GET method is used, these URLs (and the personal information they contain) remain in the browser history and server log. In many cases, the sharing of this information is unintentional. However, this can still lead to serious breach of privacy and its associated brand erosion and costly litigation. The risk is especially high when the region of the website where the form is located contains elements from third parties (for example an ad banner or a web beacon).

When a web page is programmed using the POST method, only the submitted information is sent to the server delivering the page content. A form using the GET method to submit data does not submit the data in a secure manner. If you must use the GET method, carefully review any of your web pages where forms are being submitted and be sure the referrer URLs of the images and links on that page are not unintentionally transmitting personal information.

How the GET method is triggered

The HTML source code is scanned for forms with this syntax: method="get". If no method is present on a form, the scan will assume it is a GET method, because the method attribute only has one of two values: GET or POST. GET is the default, so if the document author does not include the method attribute in the form tag, "method=get" will be assumed.

Remediation and best practices for using POST/GET methods

  • Wherever possible, use the POST method of form submission.
  • If you must use the GET method, make sure that the URLs of web pages that contain data entry forms pages are not capturing personal information submitted by the user.
  • Use a meaningful name for each form.
  • Use the HTTPS protocol on pages with forms.