Home / Tools / Fix forms that submit over plain HTTP
Content & Files · Scan Check Guide

Fix forms that submit over plain HTTP

15 min Impact: high Effort: low ✓ Scan-verified — no manual checkbox

A form on an HTTPS page that submits its data to a plain HTTP endpoint sends everything the visitor typed — including passwords or payment details — over an unencrypted connection, even though the page itself looked secure with a padlock icon.

A form whose action posts to http:// instead of https:// sends whatever the visitor typed — including passwords — across the network in plain text, readable by anyone on the same network.

How to fix it

  1. 1
    Check every form's action attribute
    Look at each <form> tag's action URL — confirm it starts with https://, not http://.
  2. 2
    Fix any found
    Update the form action to point to the https:// version of the same endpoint.
  3. 3
    Check forms that submit to third-party services too
    Newsletter signups, payment forms, and embedded widgets sometimes submit to an external service — confirm that endpoint is also HTTPS.

Common mistakes

How you'll know it's done

Every form on the site submits its data to an HTTPS endpoint.

H.I.V.E. checks this automatically

Fix it, then re-scan — the check confirms itself. No manual checkbox, the scan is the truth.

Run this check in H.I.V.E. →