Secure Contact Form

Choosing a CMS

In a previous post I mentioned why this blog was created. This post will present how it’s contact form works.

At first, I quickly searched for blogging software that would suite my needs and found Hugo. I like the idea of a static website because:

  • Generated files are static - They will faster when compared to loading from a database. There is no database that can fail on you (except the hard-drive of the server).
  • Static sites don’t really require maintenance - In a dynamic site you would have to maintain an up-to-date server unless you want to get hacked by some old vulnerability.
  • Static sites are cheap! - If you would have to host a website with a server side logic, VPS or shared hosting would be required. The free ones usually have their catches (like forced ads). On the other hand, Static site hosting can be found for free, just like this blog - It’s hosted on GitHub Pages.

After deciding to go with Hugo, I looked at code samples and existing themes/templates. I found that some of them offer a Contact sheet with a form (wait? what? but it’s static!!)

Adding a Contact Form

Apparently there is a service called They allow you to send forms to their server - And they send it to your e-mail. Yay! my contact form works!!!

They avoid spamming by sending you a confirmation e-mail the first time.

There’s just one problem: I’m a paranoid person. I don’t like my data handled by third parties.

Protecting a Contact Form

I don’t know who’s behind (no offense, just heard of it recently), and don’t want people sending them data while thinking that I’m the only recipient.

My approach to protect information was to add javascript to encrypt messages. Messages would be submitted by the user, encrypted and then sent to

How It’s done

  1. Get your PGP public key gpg --export --armor KEYID > my_public_key.asc
  2. Prepare the outputted public key to be loaded into a javascript string. Replace new lines with ‘\n’s.
  3. Write code that parses your public when the page loads.
  4. When form is submitted, get the data and submit with ajax.

The downside of this approach is if javascript isn’t enabled, in such a case would receive unencrypted data.


Please comment, I would like your input!