I'm working on securing a form that is used for gathering info for online insurance quotes. The problem we've been having is that some insurance agents and rating services have been stealing our form and trying to use it on their sites. Well, there is info that we use to automatically populate certain hidden variables used in the form handling script. And as each page in the form is assembled from a number of CFCs and CFM includes, just yanking the HTML pages served creates a mess on their sites, but a mess that is not apparent to them until later when they try to issue a policy based on the quote and their info is not producing the results they expect, as data mismatches and rules violations are thrown when sent for final quoting. We've already been able to track when agents we know who have been using such pages do so, but it has come to our attention that this is a more widespread problem than we had originally thought. On the other end, we are working on ways to clean up and validate the data, but it would help if we could stop this on the front end as well.
Since we can't hide the HTML code served without buying HTML page encryption software, we have considered a number of strategies to try to track or stop unknown users. They boil down to two possibilities:
1. Create a random string as a token to be stored in a database table. Populate a hidden field with it. The token can only be used once. If detected in subsequent requests, stop the transaction.
2. Pass the page name of the template containing the form (used as a cfinclude in the page serving the form) as a session or request variable. Use this to authenticate the transaction.
Is there anything that might work better than either of these?
So it would be something like this:
1. Page HTML loaded (only with basic stuff)
This way if someone try to copy your site they won't even see the form, because JS won't execute because of the security.
To make even better, after you create the form script use a minifier/obfuscator to make the code almost unredable. The only detail that you would need to take care is that you need to know where to insert the dinamically generated key into the script before sending it to the html.
Another way, that can be make in addition to this one, if the user is in another page of your site before going to the form page, you could use the before page to insert cookies into the browser and them in the form page validate if the user came from your site.
But in the end is like this, over the web you can't stop anyone for copying your html/css/js, you can only make it difficult, very very difficult some times =)