🔨 Build Your Form
Add steps and fields using the panels
Steps
Fields — Click to Add
📝Text
📧Email
📞Phone
#Number
🗒Textarea
Dropdown
🔘Radio
☑️Checkbox
📅Date
📎File Upload
🖼Image Upload
👁‍🗨Hidden
𝐇Heading
Paragraph
Divider
🖱
Select a field to edit its properties

🎨 Design & Styling

Choose the CSS mode and customize the visual appearance of your form.

🔀
CSS Mode
How your form gets its styles when embedded
🛡
Own CSS
Fully self-contained. Identical on any site, immune to external CSS.
🔗
Inherit from Site
Adopts your website's fonts, colors and spacing. Feels native.
🎨
Colors
Only active in Own CSS mode
🔤
Typography & Layout

⚙️ Form Settings

Form title, labels, submission behavior, and your website URL.

🌐
Deployment URL
Where smtp-handler.php will be hosted — used for CORS validation and fetch() target
Example: https://yoursite.com — the form will POST to https://yoursite.com/smtp-handler.php. Set this correctly for CORS and Origin validation on the server.
Where the form submits data. If the handler is in a subdirectory: forms/smtp-handler.php
📋
General
After Submission
🎛
Display Options
Show Progress Bar
Visual progress bar between steps
Show Step Counter
"Step 1 of 3" text
Show Step Names
Step labels in progress bar
Animate Transitions
Slide-in effect between steps
Scroll to Top on Step Change
Auto-scroll form to top

📧 SMTP & Email

Configure email delivery. Generates a hardened smtp-handler.php with security built-in.

ℹ️ Upload smtp-handler.php + uploads/.htaccess to your server root. Requires PHP 7.4+. PHPMailer optional (auto-detected). Falls back to native mail().
🔌
SMTP Server
Gmail: smtp.gmail.com · Outlook: smtp.office365.com · SendGrid: smtp.sendgrid.net
✉️
Sender & Recipients
🔁
Auto-Reply to Submitter
🧪
Test
Download a test script to run on your real server
⚠️ Browser SMTP testing is impossible due to port restrictions. Download smtp-test.php, upload to your server, open in browser, then delete it immediately.

🔒 Security Configuration

Configure all security layers. Every setting below is baked into the generated PHP handler.

✅ FormCraft v3 implements OWASP Top-10 mitigations for contact forms. Review and configure each layer below.
🛡
Active Security Layers
Automatically included in every export
CSRF Token Protection
PHP generates a signed token on page load. Every POST is verified against it. Prevents cross-site request forgery.
ACTIVE
Honeypot Anti-Spam Field
Invisible field added to the form. Bots fill it automatically — submissions with it filled are silently rejected.
ACTIVE
Rate Limiting (per IP)
Max submissions per window configurable below. Stored in /tmp — no database needed.
ACTIVE
Origin / Referer Validation
Requests from disallowed domains are rejected. Set your site URL in Settings for this to work.
ACTIVE
Email Header Injection Prevention
All email fields are sanitized to remove newlines and special chars used for header injection attacks.
ACTIVE
Input Sanitization & Length Limits
All inputs are stripped of HTML tags, escaped, and capped at max length to prevent XSS and buffer overflows.
ACTIVE
Secure HTTP Headers
X-Frame-Options, X-Content-Type-Options, Content-Security-Policy, Referrer-Policy added to every response.
ACTIVE
File Upload Security (7-Layer Validation)
Extension whitelist · MIME type via finfo · File size limit · PHP code scan · Image reprocessing via GD (strips EXIF/malicious payloads) · Secure random filenames · Upload folder protected by .htaccess (no PHP execution).
ACTIVE
Path Traversal Protection
All file paths are resolved with realpath() and compared against the upload directory. ../ attacks are impossible.
ACTIVE
No Credentials in Responses
SMTP credentials and server paths are never returned in API responses. Errors return generic messages.
ACTIVE
Rate Limiting
Recommended: 3–10 per window
300 = 5 minutes. Set 3600 for stricter (hourly).
📁
File Upload Configuration
PHP also needs upload_max_filesize ≥ this value
Created automatically. Protected by .htaccess.
Images are reprocessed via PHP GD — EXIF data and embedded malicious payloads are stripped automatically.
🔒 The generated uploads/.htaccess blocks ALL PHP/CGI execution inside the upload folder, preventing webshell attacks even if a malicious file slips through.
🔑
Additional Hardening
Log Blocked Attempts
Write failed/suspicious requests to formcraft-blocked.log
Block Common SQL Injection Patterns
Scans input for UNION, DROP, --, etc.
Block XSS Patterns in Input
Rejects inputs containing <script>, javascript:, onerror= etc.
Validate Email Field Format
Strict RFC 5322 regex + FILTER_VALIDATE_EMAIL on server
Device:

📦 Export & Deploy

The ZIP contains all files needed for any platform, fully hardened and production-ready.

📦
Download ZIP
Full package: HTML + hardened PHP + .htaccess files + README. Upload and deploy.
🌐
HTML Snippet
Paste into any webpage. Self-contained with CSRF & honeypot.
🖼
iFrame Embed
Host form-embed.html and embed as iframe on any CMS.
🔷
WordPress
Gutenberg block, shortcode, or functions.php — all included.
🌊
Webflow / Wix
Paste into any custom embed or HTML widget block.
{ }
JSON Config
Save/restore your builder configuration.
🔒 Security included automatically: CSRF token, honeypot field, rate limiting, file type validation, XSS/SQLi pattern blocking, secure HTTP headers, path traversal protection — all baked into the exported PHP handler.