Security/SSL options.

Excellent! As for the exclusion/inclusion concept: we have VERY long forms in some cases (the admissions application, for instance) and it would be incredibly painful to *include* each applicable field vs. *excluding* the 2 or 3 that may need to be left out of the email.

Just food for thought.

Bumping again. I have forms that need SSN submitted...having to use old ugly form system on second server to accomplish. Blech.

Exactly, the only addition would be that the form would need to submit via the https:// url as well.

That would rock a lot. I'm pushing to get WP/MU also SSL friendly in much the same way, an SSL URL in settings and a per-page/post "force ssl" option.

illinoisharley

Is this self contained to your site if implemented....data is not redirected somewhere else to have https? Any certificates needed on the host?

Any development news on this topic?

Does somebody have a link for a handy instruction on how to force ssl on a single form site via .htaccess?

This thread seems to address exactly what I need to do. I have a client who wanted a housing rental application form that collects SSN, income and credit info. I have installed the WPSSL plugin to handle redirects and I have made modifications to the files so that all calls to javascript, css and images are to the https versions, so my page is showing as secure (padlock icon verifies).

What do I need to do to make sure the data is SUBMITTED securely? Or will it be submitted securely since the page is secure? I know I don't need to include any sensitive fields in the notification email. Anything else?

Would love to have fields flagged to be stored encrypted in database. SSL is good when submitting SSN & other sensitive info, but it should never be stored in plain-text in database.

@carl - thank you sir!

Okay... maybe a step-by-step was a lot to ask.

I suppose the biggest curiosity is with encrypting a form field and keeping it safe from prying eyes when viewing it in the WP admin.

Would i need to do anything special within the Gravity Form I create or would it all rely on how the database field is set up?

Just trying to figure out if doing this with GF (1.5) is really more trouble than it's worth at this release point (i.e. if too many things could go wrong, etc).

If so then I could use Wufoo for this specific client but would much rather use GF if all that's needed are a few tweaks.

Thanks! - Alex

@Carl,

Thanks for the follow up! (it was filtered so just now seeing it;)

Let me see if I have this correct before I get too excited.

Are you saying that once the 1.5 release is available encrypting and decrypting GF form fields can be accomplished via GF API hooks?

If so, would the scenario be something like:

Create the form
Use GF API hooks in functions.php to intercept specifically named form fields (on submission) on that specific form id that needs encrypting and decrypting goodness
Rinse and repeat as needed

Am I on the right track or...?

Thanks for clarifying! - Alex

I have an SSLs on most of my WP sites (especially one that is ecommerce) or process form data. My WP login is also https:// and not the standard http:// and this was advised to me from PHPoet guys (makers of PHPurchase) when I tried hard to get the SSL to work in their shopping cart plugin for one site. I was told it was best to use https:// for the WP login (I forget the reason why as told to me). I had one issue in which the lock was unbroken on the SSL and that was because a Google API was using the http:// and all I had to do was go into the Editor and add the "s" since Google also hosted an https:// version of that API. I bought my SSLs from Godaddy.com (Starfield Technologies) and paid about $13 a piece for each one. If you search you can find discount codes or affiliate marketing links that give you these discounts. Get one and load it onto your web host, that is an experience in itself. I use RackSpace Cloud Sites and they walked me through it all including how to find complete documentation on forcing SSL, etc. from their knowledge base (they also just did it for me over the phone and walked me through it so I knew how to do it again). It's not hard once you do it a few times, takes me about 45 minutes to install one now and I must have at least 10.

I've just downloaded 1.5RC4 and I don't see where/how to encrypt fields; has this been pushed to another release?

Carl, makes total sense; an Add-On is definitely the way to go (count me in as an interested user!).

@blueprintds - any chance you could share how you set-up the encryption/decryption per field?

I wanted to throw our hat in as a group who really needs more secure methods in place for using Gravity Forms.

The SSL business is excellent, but in addition to that we require logging capabilities too. That is, the ability to track who viewed a [sensitive] submitted entry (and that log has to be encrypted, too).

Can anyone recommend a GF developer who can create a secure form?

I have a mortgage and loan client who is in need of an application that requires sensitive information. The application will be sent from his website to the main Mortgage company for review.

Am I right in assuming that, at this point, gravity forms does not have encryption security for the transfer of all data using e-mail notification? Is there some way that can be done?

hey Scott

you posted this:

have to play with the setting a bit and if using chrome will need to clear cookies and close and reopen browser after making changes
http://logoicons.s3.amazonaws.com/httpssettings.png

where are you getting these settings? not showing up in my wordpress at all!

yes. when I go to it - it says "You do not have sufficient permissions to access this page."

I created the damn site!

doesn't make sense. I have full control over the site...

Anything new on being able to encrypt fields as an add on?