I'm working on securing a form that is used for gathering info for online insurance quotes. The problem we've been having is that some insurance agents and rating services have been stealing our form and trying to use it on their sites. Well, there is info that we use to automatically populate certain hidden variables used in the form handling script. And as each page in the form is assembled from a number of CFCs and CFM includes, just yanking the HTML pages served creates a mess on their sites, but a mess that is not apparent to them until later when they try to issue a policy based on the quote and their info is not producing the results they expect, as data mismatches and rules violations are thrown when sent for final quoting. We've already been able to track when agents we know who have been using such pages do so, but it has come to our attention that this is a more widespread problem than we had originally thought. On the other end, we are working on ways to clean up and validate the data, but it would help if we could stop this on the front end as well.

Since we can't hide the HTML code served without buying HTML page encryption software, we have considered a number of strategies to try to track or stop unknown users. They boil down to two possibilities:
1. Create a random string as a token to be stored in a database table. Populate a hidden field with it. The token can only be used once. If detected in subsequent requests, stop the transaction.
2. Pass the page name of the template containing the form (used as a cfinclude in the page serving the form) as a session or request variable. Use this to authenticate the transaction.

Is there anything that might work better than either of these?

4 Years
Discussion Span
Last Post by mmonclair

If I had such problem I'd create the form with JavaScript. Then during the form creation I'd make ajax calls to the server that validate if the form can or can't be created, here you could insert the idea of a unique key generated by the server.

So it would be something like this:
1. Page HTML loaded (only with basic stuff)
2. JavaScript form script loaded dynamically with the Unique Key inserted in the middle of it (not as a parameter and to make it even harder you could split the key into separete variables and use a complex algorithm to join them before sending to the server)
3. JavaScript will make ajax calls to the server to validate if it can or can't create the form.

This way if someone try to copy your site they won't even see the form, because JS won't execute because of the security.

To make even better, after you create the form script use a minifier/obfuscator to make the code almost unredable. The only detail that you would need to take care is that you need to know where to insert the dinamically generated key into the script before sending it to the html.

Another way, that can be make in addition to this one, if the user is in another page of your site before going to the form page, you could use the before page to insert cookies into the browser and them in the form page validate if the user came from your site.

But in the end is like this, over the web you can't stop anyone for copying your html/css/js, you can only make it difficult, very very difficult some times =)


Thanks. Not being able to stop someone from copying our code, I figured I'd make it impossible for them to use it when they do copy it. The approach you mention is similar to what we already do to assemble the form, with a combination of Javascript and CF components. We don't authenticate every user, which is what would make this work, and doing so would take a business decision (which could take a really long time to get approved). However, we can have the handler script check to see what page is calling it. But I'm not sure if this is the best way to go about it.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.