Website Security Testing Case | Event Site Security & Form Data Protection
Company Background
The company in this case is a medium-to-large enterprise focused on digital marketing and online customer acquisition. They regularly collect potential customer data through campaign websites, landing pages, online registration forms, ad campaigns, and email marketing. During large-scale marketing campaigns, their website needs to handle high traffic and form submissions involving important customer data such as names, phone numbers, emails, and company names. Therefore, in addition to stable performance, comprehensive security protection is essential. Since campaign pages integrate multiple third-party tools, ad pixels, APIs, and external systems, the company wanted to complete security testing and optimization before going live to reduce risks of data leakage, malicious submissions, bot abuse, and API attacks.
1. Pre-Optimization Challenges: Form Security, API Security Testing & Website Security Optimization
Before security testing and optimization, the campaign website faced the following issues:
Forms Collect Large Volumes of Potential Customer Data
Forms collect user contact information and business requirements; without input validation, submission limits, and data protection mechanisms, they may generate spam submissions, malicious injection, duplicate submissions, or sensitive data leakage.
API Submission Process Has Potential Risks
Data is transmitted to backend systems, CRM, or marketing platforms via APIs; without permission verification, rate limiting, CSRF protection, or parameter validation, attackers may bypass frontend restrictions and directly call APIs.
Third-Party Tracking Tools Increase Data Risks
Ad tracking codes, analytics tools, heatmap tools, chat plugins, and marketing automation tracking codes help analyze performance, but also increase risks from external scripts, data transmission, and security header configuration.
Tight Campaign Launch Timeline
Marketing campaigns typically have clear launch dates; without clear risk classification and repair prioritization, teams may be unable to complete the most critical security hardening before the campaign goes live.
Lack of Campaign-Specific Security Check Process
Before campaign launches, previous activities mainly conducted content, functionality, and form flow testing, but lacked security checks specific to campaign page characteristics, such as form abuse protection, API high-frequency submission, anti-bot mechanisms, third-party script risks, and data transmission security.
2. Optimization Goals
The main goals of this security testing and optimization include:
- Reduce the risk of malicious submissions to campaign forms
- Strengthen form API permission verification and parameter checks
- Prevent spam submissions, duplicate submissions, and bot abuse
- Check third-party tracking codes and external script risks
- Strengthen HTTPS, Cookie, and Security Headers configuration
- Reduce risks to user data during transmission and processing
- Ensure the campaign website passes security checks before official launch
- Establish a reusable campaign website security testing process
3. Security Testing Strategy
3.1 Campaign Website Security Scope Inventory
We first inventory all areas that need testing based on the campaign website user journey, avoiding only checking the page surface while ignoring risk points that truly involve data submission and system integration.
- Campaign Landing Page, form fill page, and Thank You Page
- Form submission API, CRM, or marketing platform synchronization process
- Ad tracking codes, analytics tools, chat or customer service plugins
- Cookie and Session settings, HTTP Security Headers, external resources, and third-party domains
3.2 Form Security Testing
The focus of form security testing is to ensure that any user input does not directly cause data risks or system risks.
- Required fields, email, phone, company name format, and input length validation
- Special character handling, XSS testing, and SQL Injection risk testing
- Duplicate submission testing, error message checking, and secure redirect confirmation
- Testing whether frontend validation can be bypassed for direct submission
3.3 API Security Testing
The API behind campaign forms is one of the key focuses of this testing, which can effectively reduce risks of automated attacks, malicious submissions, or data abuse.
- Confirm whether the API can only be called by legitimate sources and has CSRF protection
- Check rate limiting, required parameter validation, and unauthorized call risks
- Test parameter modification to bypass limits, sensitive information return, and overly detailed error messages
- Confirm the ability to handle large volumes of abnormal submissions and necessary security logs
3.4 Third-Party Script & Tracking Code Review
This step helps reduce security and compliance risks caused by external scripts while retaining marketing analytics capabilities.
- Inventory the purpose of each third-party script and whether it is duplicated or no longer used
- Confirm whether external scripts come from trusted domains and comply with Content Security Policy
- Check whether third-party tools collect unnecessary data or have unconfirmed external data transmission
3.5 Security Headers & Cookie Review
We check the website’s basic security configuration to reduce clickjacking, partial XSS, content type confusion, Cookie abuse, and external resource risks.
- Strict-Transport-Security, Content-Security-Policy, X-Frame-Options
- X-Content-Type-Options, Referrer-Policy, Permissions-Policy
- Cookie Secure, HttpOnly, SameSite, HTTPS forced redirect, and error page information checks
4. Security Optimization Strategy
4.1 Strengthen Form Input Validation
We add more rigorous frontend and backend validation for form fields, including:
- Limit field length
- Check email and phone formats
- Filter high-risk characters
- Block malicious script input
- Re-validate all submitted data on the backend
- Avoid relying solely on frontend checks
- Improve error prompts without exposing internal logic
This can effectively reduce malicious input and data contamination risks.
4.2 Add Anti-Bot & Submission Rate Limiting
For spam submissions and automated attacks, we optimize form protection strategies, including:
- Add submission rate limiting
- Add duplicate submission protection
- Add honeypot fields or similar protection mechanisms
- Interception of abnormal submission behavior
- Limit submission frequency based on IP, Session, or behavior patterns
- Additional verification for high-risk submissions
These measures can effectively reduce the impact of spam data and bot submissions on marketing teams and backend systems.
4.3 Strengthen API Permissions & Security Controls
For form APIs, we implement the following hardening measures:
- Strengthen request source checking
- Add CSRF protection
- Add rate limiting
- Validate required parameters
- Remove unnecessary error information
- Standardize API error response format
- Log abnormal requests
- Change non-essential synchronous processes to asynchronous processing
- Reduce the risk of APIs being maliciously called
This allows APIs to remain safer and more controllable during campaign peaks and abnormal traffic.
4.4 Optimize Security Headers
Based on campaign page functional requirements and third-party script usage, we adjust security header configurations, including:
- Set Content Security Policy to limit loadable resource sources
- Add HSTS to enforce HTTPS secure connections
- Set X-Frame-Options to reduce clickjacking risks
- Set X-Content-Type-Options to avoid content type confusion
- Set Referrer-Policy to reduce unnecessary source information exposure
- Set Permissions-Policy to limit unnecessary browser features
These configurations can improve website basic security without affecting campaign functionality.
4.5 Third-Party Script Governance
We assist enterprises in reorganizing third-party scripts on campaign pages:
- Remove unnecessary tracking codes
- Consolidate duplicate function tools
- Limit external script sources
- Prevent third-party scripts from reading unnecessary data
- Ensure critical form data is not obtained by non-essential tools
- Establish a third-party tool pre-launch review process
This can reduce data and security risks brought by marketing tools while retaining necessary performance tracking capabilities.
4.5 Establish Pre-Launch Security Checklist
After completing this optimization, we assist enterprises in establishing a campaign website security checklist, covering:
- Form security testing
- API permission checks
- Anti-bot and rate limiting checks
- Security Headers checks
- Cookie security settings checks
- Third-party script inventory checks
- HTTPS and redirect checks
- Error message checks
- Test data cleanup
- Post-launch security monitoring
This checklist can serve as a standard process before each future campaign website launch.
5. Optimization Results
After security testing and optimization, the campaign website showed significant improvements in form security, API protection, third-party script governance, and launch security confidence. The following are performance results approximately 1-2 months after optimization:
| Metric | Before Optimization | After Optimization | Improvement |
|---|---|---|---|
| Form & API High-Risk Items | 6 items | 0 items | 100% Fixed |
| Form & API Medium-Risk Items | 14 items | 2 items | ~86% Reduction |
| Spam & Abnormal Submission Rate | ~8.5% | ~1.2% | ~86% Reduction |
| Third-Party Script Count | 12 | 6 | ~50% Reduction |
| Security Headers Completeness | ~50% | ~96% | ~46 percentage points increase |
| Pre-Launch Security Check Pass Rate | ~70% | ~97% | ~27 percentage points increase |
Results Summary
Through this security testing and optimization, the campaign website’s form and API high-risk items decreased from 6 to 0, and medium-risk items decreased from 14 to 2. The spam and abnormal submission rate decreased from approximately 8.5% to approximately 1.2%, effectively reducing form abuse and spam data risks.
At the same time, third-party script count decreased from 12 to 6, and Security Headers completeness increased from approximately 50% to approximately 96%. The overall pre-launch security check pass rate increased from approximately 70% to approximately 97%, giving enterprises more confidence to drive large-scale marketing campaigns.
6. Key Success Factors
6.1 Focus Security Testing on Forms and APIs
The biggest risks for campaign websites are usually not static pages, but forms and APIs. As long as forms involve data submission, strict checks on input validation, permission control, submission frequency, and data processing workflows are needed.
6.2 Balance Marketing Tracking and Data Security
Marketing campaigns need to track performance, but cannot increase security risks by adding too many third-party tools. This case study demonstrates how third-party script governance can retain necessary tracking capabilities while reducing unnecessary data exposure and external script risks.
6.3 Complete Risk Remediation Before Campaign Launch
Fixing security issues after campaign launch often affects promotion effectiveness and user trust. Therefore, this case study moved security testing before campaign launch, giving teams sufficient time to complete remediation and verification.
6.4 Not Just Finding Vulnerabilities, But Building Processes
Successful security optimization should not stop at a single test. This case study organized test items into a pre-launch security checklist, enabling enterprises to quickly execute security checks for each future campaign.
6.5 Prioritize Remediation Based on Business Risk
With tight campaign timelines, teams need to prioritize issues that most likely affect data security, form submission, and campaign effectiveness. This case study uses risk classification to ensure the most critical security hardening is completed first within limited time.
7. Conclusion
This case study demonstrates how enterprises can protect campaign websites, form submission processes, and potential customer data through security testing and optimization.
For enterprises that rely on campaign pages, online registration, form inquiries, and ad campaigns to acquire business opportunities, website security is not just an IT issue—it directly affects marketing ROI, customer trust, and data compliance risks. If campaign page forms are attacked by spam submissions, APIs are abused, or third-party scripts collect excessive data, it can weaken campaign effectiveness and brand trust.
Through form security testing, API security checks, anti-bot mechanisms, Security Headers optimization, and third-party script governance, enterprises can effectively reduce security risks before campaign launch, ensuring campaign websites can handle traffic while safely collecting and processing potential customer data.
If your website is about to conduct important marketing campaigns, online registration, ad campaigns, or form collection, and you want to identify security vulnerabilities and data risks in advance, you can learn about our Website Security Testing & Optimization Services. LeadsTech can assist enterprises with vulnerability scanning, penetration testing, OWASP risk checks, form and API security testing, Security Headers optimization, and third-party script risk checks to identify key issues affecting website security, data protection, and operational stability, and provide actionable remediation recommendations and optimization plans.
