@bernierllc/validators-form-transport
v0.3.2
Published
Form transport security validation primitive - HTTPS forms, autocomplete rules, secure cookies
Readme
@bernierllc/validators-form-transport
Form transport security validation primitive - validates HTTPS forms, autocomplete rules, secure cookies, and CSRF protection.
Installation
npm install @bernierllc/validators-form-transportUsage
import { validateFormTransport } from '@bernierllc/validators-form-transport';
import { createSharedUtils } from '@bernierllc/validators-utils';
const html = `
<form action="http://example.com/login" method="get">
<input type="text" name="password" />
</form>
`;
const utils = createSharedUtils();
const result = await validateFormTransport(html, {}, utils);
if (result.problems.length > 0) {
console.log('Form security issues found:');
result.problems.forEach((problem) => {
console.log(`- ${problem.message} (${problem.severity})`);
});
}API Reference
validateFormTransport(html, options?, utils)
Validates form transport security in HTML content.
Parameters:
html(string): HTML content to validateoptions(FormTransportOptions): Optional configurationutils(SharedUtils): Shared utilities from @bernierllc/validators-utils
Returns: Promise<ValidationResult> with problems and stats
createFormTransportValidator(options?)
Creates a configured form transport validator instance.
Parameters:
options(FormTransportOptions): Optional configuration
Returns: Validator instance with validate() and getMeta() methods
Example:
const validator = createFormTransportValidator({
checkHttpsAction: true,
checkCsrfToken: true,
allowLocalhostHttp: true, // Allow HTTP for localhost in development
});
const result = await validator.validate(html, utils);Configuration Options
FormTransportOptions
interface FormTransportOptions {
/**
* Check that forms with sensitive data use HTTPS action URLs
* @default true
*/
checkHttpsAction?: boolean;
/**
* Check that sensitive inputs have proper autocomplete attributes
* @default true
*/
checkAutocomplete?: boolean;
/**
* Check that sensitive input types are used correctly
* @default true
*/
checkSensitiveInputTypes?: boolean;
/**
* Check that forms with sensitive data use POST method
* @default true
*/
checkFormMethod?: boolean;
/**
* Check for presence of CSRF token in forms
* @default true
*/
checkCsrfToken?: boolean;
/**
* List of input names considered sensitive (case-insensitive)
* @default ['password', 'credit-card', 'cvv', 'ssn', 'pin', 'secret', 'token', 'api-key', 'auth']
*/
sensitiveInputNames?: string[];
/**
* List of CSRF token input names to look for
* @default ['csrf', 'csrf_token', 'csrf-token', '_csrf', 'authenticity_token', 'csrfmiddlewaretoken']
*/
csrfTokenNames?: string[];
/**
* Whether to allow HTTP for localhost/127.0.0.1 (development)
* @default true
*/
allowLocalhostHttp?: boolean;
}Validation Rules
1. HTTPS Form Action (form-transport/https-action)
Validates that forms with sensitive data use HTTPS action URLs.
Triggers:
- Forms with password input fields using HTTP action
- Forms with sensitive named inputs (credit-card, ssn, etc.) using HTTP action
- POST forms using HTTP action
Severity: error
Example:
// Bad - HTTP action
<form action="http://example.com/login" method="post">
<input type="password" name="password" />
</form>
// Good - HTTPS action
<form action="https://example.com/login" method="post">
<input type="password" name="password" />
</form>
// Good - Relative URL (inherits page protocol)
<form action="/login" method="post">
<input type="password" name="password" />
</form>2. Autocomplete Attribute (form-transport/autocomplete)
Validates that sensitive inputs have proper autocomplete attributes.
Triggers:
- Password fields missing autocomplete attribute
- Sensitive named fields missing autocomplete attribute
- Invalid autocomplete values
Severity: warn
Example:
// Bad - Missing autocomplete
<input type="password" name="password" />
// Good - Valid autocomplete
<input type="password" name="password" autocomplete="current-password" />
// Good - Autocomplete disabled
<input type="password" name="password" autocomplete="off" />3. Sensitive Input Types (form-transport/sensitive-input-types)
Validates that sensitive data uses appropriate input types.
Triggers:
- Password-named fields not using
type="password" - Credit card numbers using
type="number"instead oftype="text" - SSN fields using inappropriate types
- Email fields not using
type="email"
Severity: error (password), warn (others)
Example:
// Bad - Password field using text
<input type="text" name="password" />
// Good - Password field using password type
<input type="password" name="password" />
// Bad - Credit card using number type (removes leading zeros)
<input type="number" name="credit-card" />
// Good - Credit card using text with numeric inputmode
<input type="text" name="credit-card" inputmode="numeric" />4. Form Method (form-transport/form-method)
Validates that forms with sensitive data use POST method.
Triggers:
- Forms with password fields using GET method
- Forms with sensitive inputs using GET method
- Forms with sensitive data missing explicit method attribute
Severity: error
Example:
// Bad - GET method with password
<form method="get">
<input type="password" name="password" />
</form>
// Bad - No method (defaults to GET)
<form>
<input type="password" name="password" />
</form>
// Good - POST method
<form method="post">
<input type="password" name="password" />
</form>5. CSRF Token (form-transport/csrf-token)
Validates presence of CSRF protection token in forms.
Triggers:
- POST forms without CSRF token
- Forms with sensitive data without CSRF token
Severity: warn (POST forms), error (sensitive data forms)
Example:
// Bad - POST form without CSRF token
<form method="post">
<input type="text" name="data" />
</form>
// Good - CSRF token present
<form method="post">
<input type="hidden" name="csrf_token" value="abc123xyz" />
<input type="text" name="data" />
</form>
// Good - CSRF via meta tag (Rails style)
<head>
<meta name="csrf_token" content="abc123xyz" />
</head>
<form method="post">
<input type="text" name="data" />
</form>Examples
Basic Security Validation
const html = `
<form action="https://example.com/login" method="post">
<input type="email" name="email" autocomplete="email" />
<input type="password" name="password" autocomplete="current-password" />
<input type="hidden" name="csrf_token" value="secure-token" />
<button type="submit">Login</button>
</form>
`;
const result = await validateFormTransport(html, {}, utils);
// No problems - secure formCustom Sensitive Fields
const options = {
sensitiveInputNames: ['custom-secret', 'internal-token', 'api-credential'],
};
const html = `
<form method="post">
<input type="text" name="custom-secret" />
</form>
`;
const result = await validateFormTransport(html, options, utils);
// Detects custom sensitive fieldDevelopment Configuration
const options = {
allowLocalhostHttp: true, // Allow HTTP for local development
checkCsrfToken: false, // Disable CSRF check in dev
};
const html = `
<form action="http://localhost:3000/api/data" method="post">
<input type="text" name="data" />
</form>
`;
const result = await validateFormTransport(html, options, utils);
// Allows localhost HTTP, no CSRF requirementIntegration Status
- Logger integration: not-applicable - Pure validation function with no side effects. This primitive validator does not require
@bernierllc/loggeras it has no logging needs beyond error reporting via validation results. - Docs-Suite: ready - Markdown documentation with code examples
- NeverHub integration: not-applicable - Primitive validator with no service dependencies. This package does not require
@bernierllc/neverhub-adapteras it operates as a pure validation function with no need for service discovery or event bus capabilities.
See Also
- @bernierllc/validators-core - Core validation types and utilities
- @bernierllc/validators-utils - Shared utilities for validation
- @bernierllc/validators-secret-patterns - Secret pattern detection
- @bernierllc/validators-html-syntax - HTML syntax validation
License
Copyright (c) 2025 Bernier LLC. All rights reserved.