Among 500 Top Domains, 0% of Assessed Contact Forms Met Our Full Security Standard
2026 contact-form security study
0 of 20 unique contact-form implementations met every observable control in our full standard. This is a strict “demonstrated secure” result, not proof that every form is exploitable.
Change the definition and inspect the result
These buttons change how strict the word “secure” is. The strictest definition requires every public signal we could check. The loosest definition only checks whether the form appears to submit safely.
The form showed every public sign we would want before calling it secure: safe submission, no other-domain scripts in the form, no early data transmission, minimal required identity, browser guardrails, retention clarity, and browser-side or end-to-end encryption evidence.
Legend: what the terms mean
A form submission method that puts submitted values in the request body.
This is safer than GET for sensitive text because GET can put values in the URL, where they can appear in browser history, server logs, referrer headers, analytics, and screenshots.
The URL the browser sends the form to after someone clicks send.
A page can be HTTPS while the form points somewhere else. We checked the page and the destination separately.
JavaScript loaded from a different registrable domain while the form is on screen.
If that script runs in the same frame as the textarea, it can technically read what a person types.
A network request containing a synthetic value after typing but before clicking send.
The user has not consented to submit yet. In this run, we saw one cross-site pre-submit leak: an email value sent to a HubSpot email-check endpoint.
Content Security Policy, a browser rule set sent by the site.
`form-action` limits where the form may submit. `frame-ancestors` limits who may embed the page.
Public evidence that the message is encrypted in the browser to the recipient, not just protected by HTTPS on the way to the server.
HTTPS does not prove the server stores ciphertext or that staff, vendors, logs, or backups cannot read the message.
Control-by-control results
Each row below is a yes/no control. A passing count means the control was visible from the browser during this run, not that the site passed a private architecture review.
What the data says for each control
Only 11 forms passed all three basic route checks: HTTPS page, HTTPS destination, and POST.
Nine forms used GET or a JavaScript-only action. We did not submit the forms, so this is a route-quality finding, not proof that any user data was actually placed in a URL during our run.
Nineteen forms loaded at least one other-domain script in the same frame as the form.
Examples included Google Tag Manager, HubSpot, Marketo, Adobe, Yandex, New Relic, PostHog, Trustpilot, LiveChat, Microsoft CDN hosts, and bot/captcha services. One form, GOV.UK, had zero other-domain scripts in the form frame.
One form transmitted a synthetic value before the user clicked send.
MediaTek sent the synthetic email field to `forms.hsforms.com/emailcheck/v1/json-ext` using an XHR POST request. We did not observe the synthetic message body, name, or phone number sent cross-site before submit.
Three forms required high-risk identity fields such as phone number, business email, company, or detailed business profiling.
This matters because the safest sensitive-intake path should let someone ask for help without first disclosing more identity than the task requires.
Only two forms locked the submit destination with CSP `form-action`; thirteen limited framing with `frame-ancestors`.
These headers are not encryption. They are defense-in-depth rules that reduce the blast radius of mistakes, injected code, and unauthorized embedding.
Only three forms surfaced retention or deletion language on the assessed page.
A privacy link in the footer is not the same as telling a sensitive sender how long the message persists, who can access it, and how deletion works.
No assessed form published specific browser-side or end-to-end encryption evidence.
The test cannot prove plaintext storage from the outside. It can show whether the page gives a sender evidence that plaintext will not be readable by the receiving server or its vendors.
Explore every assessed implementation
“Pass” means that specific control was visible and satisfied in the browser. “No” means the control was missing or not demonstrated. For early data transmission, “Pass” means our synthetic values were not observed in cross-site requests before submit.
20 implementations shown.
| Rank / domain | Submission route | Other-domain scripts | Typed data sent early | Required identity | Browser guardrails | Retention explained | Encryption evidence | Full |
|---|---|---|---|---|---|---|---|---|
| #45 skype.com observed form | Protected submission route: does not passAt least one route check failed. | 22 other-domain hosts could access the form frame. | No observed pre-submit cross-site leak: passesNo synthetic value observed cross-site before submit. | No required high-risk identity: passesNo high-risk identity field was required. | CSP form and frame restrictions: does not passMissing form-action, frame-ancestors, or both. | Retention disclosure: does not passNo form-specific lifecycle language found. | E2EE evidence: does not passNo browser-side or E2EE evidence found. | Full observable standard: does not pass |
| #6 microsoft.com observed form | Protected submission route: does not passAt least one route check failed. | 33 other-domain hosts could access the form frame. | No observed pre-submit cross-site leak: passesNo synthetic value observed cross-site before submit. | No required high-risk identity: passesNo high-risk identity field was required. | CSP form and frame restrictions: does not passMissing form-action, frame-ancestors, or both. | Retention disclosure: does not passNo form-specific lifecycle language found. | E2EE evidence: does not passNo browser-side or E2EE evidence found. | Full observable standard: does not pass |
| #88 workers.dev observed form | Protected submission route: does not passAt least one route check failed. | 77 other-domain hosts could access the form frame. | No observed pre-submit cross-site leak: passesNo synthetic value observed cross-site before submit. | No required high-risk identity: does not passRequired phone or detailed business identity. | CSP form and frame restrictions: passesCSP locked both submit destination and embedding. | Retention disclosure: does not passNo form-specific lifecycle language found. | E2EE evidence: does not passNo browser-side or E2EE evidence found. | Full observable standard: does not pass |
| #116 b-cdn.net observed form | Protected submission route: does not passAt least one route check failed. | 22 other-domain hosts could access the form frame. | No observed pre-submit cross-site leak: passesNo synthetic value observed cross-site before submit. | No required high-risk identity: passesNo high-risk identity field was required. | CSP form and frame restrictions: does not passMissing form-action, frame-ancestors, or both. | Retention disclosure: does not passNo form-specific lifecycle language found. | E2EE evidence: does not passNo browser-side or E2EE evidence found. | Full observable standard: does not pass |
| #190 cnn.com observed form | Protected submission route: does not passAt least one route check failed. | 44 other-domain hosts could access the form frame. | No observed pre-submit cross-site leak: passesNo synthetic value observed cross-site before submit. | No required high-risk identity: passesNo high-risk identity field was required. | CSP form and frame restrictions: does not passMissing form-action, frame-ancestors, or both. | Retention disclosure: passesLifecycle language found on the assessed page. | E2EE evidence: does not passNo browser-side or E2EE evidence found. | Full observable standard: does not pass |
| #230 nist.gov observed form | Protected submission route: passesHTTPS page + HTTPS destination + POST. | 44 other-domain hosts could access the form frame. | No observed pre-submit cross-site leak: passesNo synthetic value observed cross-site before submit. | No required high-risk identity: passesNo high-risk identity field was required. | CSP form and frame restrictions: does not passMissing form-action, frame-ancestors, or both. | Retention disclosure: does not passNo form-specific lifecycle language found. | E2EE evidence: does not passNo browser-side or E2EE evidence found. | Full observable standard: does not pass |
| #234 ubuntu.com observed form | Protected submission route: passesHTTPS page + HTTPS destination + POST. | 22 other-domain hosts could access the form frame. | No observed pre-submit cross-site leak: passesNo synthetic value observed cross-site before submit. | No required high-risk identity: passesNo high-risk identity field was required. | CSP form and frame restrictions: does not passMissing form-action, frame-ancestors, or both. | Retention disclosure: does not passNo form-specific lifecycle language found. | E2EE evidence: does not passNo browser-side or E2EE evidence found. | Full observable standard: does not pass |
| #240 stripe.com observed form | Protected submission route: passesHTTPS page + HTTPS destination + POST. | 11 other-domain host could access the form frame. | No observed pre-submit cross-site leak: passesNo synthetic value observed cross-site before submit. | No required high-risk identity: does not passRequired phone or detailed business identity. | CSP form and frame restrictions: passesCSP locked both submit destination and embedding. | Retention disclosure: does not passNo form-specific lifecycle language found. | E2EE evidence: does not passNo browser-side or E2EE evidence found. | Full observable standard: does not pass |
| #245 meraki.com observed form | Protected submission route: passesHTTPS page + HTTPS destination + POST. | 33 other-domain hosts could access the form frame. | No observed pre-submit cross-site leak: passesNo synthetic value observed cross-site before submit. | No required high-risk identity: passesNo high-risk identity field was required. | CSP form and frame restrictions: does not passMissing form-action, frame-ancestors, or both. | Retention disclosure: does not passNo form-specific lifecycle language found. | E2EE evidence: does not passNo browser-side or E2EE evidence found. | Full observable standard: does not pass |
| #292 www.gov.uk observed form | Protected submission route: passesHTTPS page + HTTPS destination + POST. | 0No other-domain scripts observed in the form frame. | No observed pre-submit cross-site leak: passesNo synthetic value observed cross-site before submit. | No required high-risk identity: passesNo high-risk identity field was required. | CSP form and frame restrictions: does not passMissing form-action, frame-ancestors, or both. | Retention disclosure: does not passNo form-specific lifecycle language found. | E2EE evidence: does not passNo browser-side or E2EE evidence found. | Full observable standard: does not pass |
| #358 quickconnect.to observed form | Protected submission route: passesHTTPS page + HTTPS destination + POST. | 22 other-domain hosts could access the form frame. | No observed pre-submit cross-site leak: passesNo synthetic value observed cross-site before submit. | No required high-risk identity: passesNo high-risk identity field was required. | CSP form and frame restrictions: does not passMissing form-action, frame-ancestors, or both. | Retention disclosure: passesLifecycle language found on the assessed page. | E2EE evidence: does not passNo browser-side or E2EE evidence found. | Full observable standard: does not pass |
| #364 selectel.ru observed form | Protected submission route: does not passAt least one route check failed. | 11 other-domain host could access the form frame. | No observed pre-submit cross-site leak: passesNo synthetic value observed cross-site before submit. | No required high-risk identity: passesNo high-risk identity field was required. | CSP form and frame restrictions: does not passMissing form-action, frame-ancestors, or both. | Retention disclosure: does not passNo form-specific lifecycle language found. | E2EE evidence: does not passNo browser-side or E2EE evidence found. | Full observable standard: does not pass |
| #381 plesk.com observed form | Protected submission route: passesHTTPS page + HTTPS destination + POST. | 22 other-domain hosts could access the form frame. | No observed pre-submit cross-site leak: passesNo synthetic value observed cross-site before submit. | No required high-risk identity: passesNo high-risk identity field was required. | CSP form and frame restrictions: does not passMissing form-action, frame-ancestors, or both. | Retention disclosure: does not passNo form-specific lifecycle language found. | E2EE evidence: does not passNo browser-side or E2EE evidence found. | Full observable standard: does not pass |
| #385 tp-link.com observed form | Protected submission route: passesHTTPS page + HTTPS destination + POST. | 33 other-domain hosts could access the form frame. | No observed pre-submit cross-site leak: passesNo synthetic value observed cross-site before submit. | No required high-risk identity: passesNo high-risk identity field was required. | CSP form and frame restrictions: does not passMissing form-action, frame-ancestors, or both. | Retention disclosure: does not passNo form-specific lifecycle language found. | E2EE evidence: does not passNo browser-side or E2EE evidence found. | Full observable standard: does not pass |
| #400 zendesk.com observed form | Protected submission route: does not passAt least one route check failed. | 22 other-domain hosts could access the form frame. | No observed pre-submit cross-site leak: passesNo synthetic value observed cross-site before submit. | No required high-risk identity: passesNo high-risk identity field was required. | CSP form and frame restrictions: does not passMissing form-action, frame-ancestors, or both. | Retention disclosure: passesLifecycle language found on the assessed page. | E2EE evidence: does not passNo browser-side or E2EE evidence found. | Full observable standard: does not pass |
| #410 cloudns.net observed form | Protected submission route: passesHTTPS page + HTTPS destination + POST. | 22 other-domain hosts could access the form frame. | No observed pre-submit cross-site leak: passesNo synthetic value observed cross-site before submit. | No required high-risk identity: passesNo high-risk identity field was required. | CSP form and frame restrictions: does not passMissing form-action, frame-ancestors, or both. | Retention disclosure: does not passNo form-specific lifecycle language found. | E2EE evidence: does not passNo browser-side or E2EE evidence found. | Full observable standard: does not pass |
| #414 netangels.ru observed form | Protected submission route: does not passAt least one route check failed. | 44 other-domain hosts could access the form frame. | No observed pre-submit cross-site leak: passesNo synthetic value observed cross-site before submit. | No required high-risk identity: passesNo high-risk identity field was required. | CSP form and frame restrictions: does not passMissing form-action, frame-ancestors, or both. | Retention disclosure: does not passNo form-specific lifecycle language found. | E2EE evidence: does not passNo browser-side or E2EE evidence found. | Full observable standard: does not pass |
| #429 steamcommunity.com observed form | Protected submission route: does not passAt least one route check failed. | 22 other-domain hosts could access the form frame. | No observed pre-submit cross-site leak: passesNo synthetic value observed cross-site before submit. | No required high-risk identity: passesNo high-risk identity field was required. | CSP form and frame restrictions: does not passMissing form-action, frame-ancestors, or both. | Retention disclosure: does not passNo form-specific lifecycle language found. | E2EE evidence: does not passNo browser-side or E2EE evidence found. | Full observable standard: does not pass |
| #481 mediatek.com observed form | Protected submission route: passesHTTPS page + HTTPS destination + POST. | 88 other-domain hosts could access the form frame. | No observed pre-submit cross-site leak: does not passSynthetic email sent to forms.hsforms.com before submit. | No required high-risk identity: passesNo high-risk identity field was required. | CSP form and frame restrictions: does not passMissing form-action, frame-ancestors, or both. | Retention disclosure: does not passNo form-specific lifecycle language found. | E2EE evidence: does not passNo browser-side or E2EE evidence found. | Full observable standard: does not pass |
| #491 paloaltonetworks.com observed form | Protected submission route: passesHTTPS page + HTTPS destination + POST. | 66 other-domain hosts could access the form frame. | No observed pre-submit cross-site leak: passesNo synthetic value observed cross-site before submit. | No required high-risk identity: does not passRequired phone or detailed business identity. | CSP form and frame restrictions: does not passMissing form-action, frame-ancestors, or both. | Retention disclosure: does not passNo form-specific lifecycle language found. | E2EE evidence: does not passNo browser-side or E2EE evidence found. | Full observable standard: does not pass |
The short answer is stark: 0% of the contact-form implementations we could assess demonstrated every control in our observable security standard.
The practical answer is more specific: most forms were not failing one exotic cryptography test. They were failing ordinary intake hygiene that a non-expert can understand.
- 19 of 20 forms gave other-domain JavaScript access to the form frame. This does not prove those scripts collected the message, but it means they had the technical position to read what a person typed.
- 9 of 20 forms failed the full submission-route check. Every form page used
HTTPS, but only 11 also submitted to an HTTPS destination with
POST. - 1 of 20 forms sent typed data before submit. MediaTek’s form sent the
synthetic email address to HubSpot’s
forms.hsforms.com/emailcheck/v1/json-extendpoint before we clicked send. We did not observe the synthetic message body, name, or phone number sent cross-site before submit. - 17 of 20 forms avoided required high-risk identity fields. Three required fields such as phone number or detailed business identity before a user could complete the form.
- 0 of 20 forms published specific evidence of browser-side or end-to-end message encryption. HTTPS is useful, but it does not prove ciphertext storage or recipient-only access.
- 3 of 20 forms surfaced retention or deletion language on the assessed page.
