Hidden variable and url encryption | Community
Skip to main content
Answered

Hidden variable and url encryption

D

Hi, 

Thanks in advance. 

 

I’m developing a set of forms with quite complex logic that redirects across multiple different forms (e.g. 20+). Users will be submitting personal and sensitive information. 

Typeform is one part of our app stack, with the others being a separate front-end and back-end which receives webhook payloads. 

I’ve been using hidden variables like first_name, last_name and DOB from the first typeform attached to the redirecting urls but am concerned about the security / vulnerability of this. These hidden variables allows users to be tracked and data linked across multiple forms and via webhooks (so that users are not mixed up on our end).

My question is about optimising encryption and security, given that these identifying variables are in urls. Typeform says data are encrypted ‘in-transit’ but I assume this does not apply to these urls?

 

Is there anyway I can encrypt, then decrypt these variables in transit between forms or without them being ‘public’? Or creating some kind of unique user identifying number?

 

I’ve read some responses about cookies but am not familiar with how this could be used as a solution - if you have any hints or pointers for this, that would be amazing.

 

I basically need to track users across multiple forms (which I currently do with hidden variables but could change) based on sensitive info like name dob, email and potentially address in a way that is low-risk from a security and encryption perspective. 

 

Make sense?

 

Thanks, 

 

James

Best answer by mathio-tf

Hello @drjc 

you are correct that values in URL are potentially vulnerable. To address this we pass hidden fields via URL hash by default (eg. #name=John). URL hash is never sent to server by browser, therefore it is more secure than URL query parameters. We use this approach eg. in our embed library.

We still support passing hidden fields via URL query parameters for backward compatibility purposes, but if you are conscious about security and privacy I’d suggest to use URL hash for passing variables like this:

https://form.typeform.com/to/<id>#hidden_var=sensitive_value

View original

2 replies

Liz
Community Team
Forum|alt.badge.img+5
  • Liz
  • Tech Community Advocate
  • 14960 replies
  • June 15, 2023

Hi @drjc Thanks for stopping by the community! I’m afraid we don’t have anything within our builder that would help with encrypting data sent outside of Typeform, such as in the URL. 

@mathio do you have any recommendations as to where they could look for additional help with this? 

Life is a series of awkward moments separated by snacks.
mathio-tf
Typeform
Forum|alt.badge.img+5
  • mathio-tf
  • Typeform
  • 888 replies
  • Answer
  • June 20, 2023

Hello @drjc 

you are correct that values in URL are potentially vulnerable. To address this we pass hidden fields via URL hash by default (eg. #name=John). URL hash is never sent to server by browser, therefore it is more secure than URL query parameters. We use this approach eg. in our embed library.

We still support passing hidden fields via URL query parameters for backward compatibility purposes, but if you are conscious about security and privacy I’d suggest to use URL hash for passing variables like this:

https://form.typeform.com/to/<id>#hidden_var=sensitive_value

James
Liz
john.desborough
3 people like this
  • James
    James
  • Liz
    Liz
  • john.desborough
    john.desborough

Reply


Still need help?

Don't be shy and ask the community.

Ask your question here!
Community T&Cs