Implementing TrustedForm's Script

The TrustedForm Script generates a new Certificate of Authenticity each time a consumer lands on a page with a lead generation form. Adding the script to your web forms is quick and easy, and we've carefully engineered it to load quickly. The usage of this script is governed by our TrustedForm Script End User License Agreement.

With the TrustedForm Script added to your HTML page, TrustedForm Certificate URLs and TrustedForm Ping URLs will start to be generated and passed along with the rest of the data submitted in the form. The script does this by adding two hidden fields in your web form and inserting the URLs into those fields. The fields are then captured by your server when the form is submitted and can be passed along to the lead buyers as proof that the lead was collected on your site.

The hidden fields:

Copy
Copied
<input type="hidden" name="xxTrustedFormCertUrl" id="xxTrustedFormCertUrl_0" value="https://cert.trustedform.com/454a35b802f3e7b63ffabb4efedb7c6ebe67886c">
<input type="hidden" name="xxTrustedFormPingUrl" id="xxTrustedFormPingUrl_0" value="https://ping.trustedform.com/0.HJDqajg8vVF20hwiDBJ92kct5idepgBM4vHylmh43kShfWSZKwm8HI37KqPToi0y3dhTIQ3N.uOjUbzs7aKNUWivkGh7I9Q.50hgmcLFsDabNx1wtZZPdQ">

TrustedForm Script Prerequisites

In order to add TrustedForm to your page, the following prerequisites need to be met:

  • Landing pages and form builder platforms must support

    • Custom JavaScript
    • Custom Hidden Fields
  • The TrustedForm script must be in the same "window" as the form

    • e.g. if the form is injected onto the page via an iFrame, the TrustedForm script must also be in this iFrame
  • The form must be present in the page before loading the TrustedForm script.

    • If the form is injected into the page code after the TrustedForm script starts, the hidden field will not be appended to the form.

Please check with your landing page or form builder platform provider to confirm they support these prerequisites and can provide you the proper documentation or support personnel to meet these requirements.

Add the TrustedForm Script to Your Form

If you don't already have the TrustedForm script, you can register for it on the Get the Script page. Alternatively, if you have a TrustedForm account, you can visit the Issuing Certificates tab in the TrustedForm app. Once registered or in the app, you will see a JavaScript snippet.

Once you have the snippet, add it to your page just before the closing </body> tag.

Tips to help TrustedForm capture your form submits and consent language

  • Use a <button> or <input type=“submit”> element to submit your form.
  • Make sure the submit button exists within the <form>.
  • Trigger form submission using the native browser submission.
  • Place your consent language within 50 pixels of your submit button.

TrustedForm Script Variables

You'll notice there are a handful of variables which are defined in the example script above: field, provideReferrer, etc. These variables allow you to configure the script according to your needs.

field - Customizing the hidden field

By default, the TrustedForm script automatically adds a hidden input fields with the names, xxTrustedFormCertUrl and xxTrustedFormPingUrl to your form. These names can be changed to suit your preferences.

Copy
Copied
var field = 'myTrustedFormCertURL';
var pingField = 'myTrustedFormPingURL';

Then, in the tf.src line, make sure '&field=' + escape(field) and/or '&ping_field=' + escape(pingField) are present.

provide_referrer - Explicitly Providing Your Page's Referrer

If you would like TrustedForm to collect your page's referrer (sometimes called the referrer URL) to show in the Certificate, set the provide_referrer variable:

Copy
Copied
var provideReferrer=true

Then, in the tf.src line, make sure '&provide_referrer=' + escape(provideReferrer) is present.

sandbox - Sandbox Mode

"Sandbox mode" allows publishers to test that their Certificates are generated correctly. You'll want to use sandbox mode prior to going live with your Certs.

Enable sandbox mode:

Copy
Copied
var sandbox=true

Then, in the tf.src line, make sure '&sandbox=' + sandbox is present.

Please note that Certificates generated while sandbox mode is enabled cannot be claimed.

invert_field_sensitivity - Treating All Fields as Sensitive Data

TrustedForm supports the ability to treat all fields as sensitive data. When this option is selected, you must flag individual fields that you don't want to be treated as sensitive.

In order to switch to this option, set the invert_field_sensitivity variable to true.

Copy
Copied
var invertFieldSensitivity=true

Then, in the tf.src line, make sure '&invert_field_sensitivity=' + invertFieldSensitivity is present.

When invert_field_sensitivity is enabled, you must explicitly mark fields you want the TrustedForm script to capture:

Copy
Copied
<input type="text" name="phone" data-tf-sensitive="false" />

identifier - Providing Identifying Information

TrustedForm is designed to work on a single form on a single page, but that's not always what is needed. There are times when publishers need to link a consumer's progress across multiple forms and pages. You can do this by using the identifier parameter.

Copy
Copied
var identifier="some-session-identifier"

Then, in the tf.src line, make sure '&identifier=' + escape(identifier) is present.

Please note that the identifier cannot exceed 128 characters, and any characters in excess of 128 will be truncated.

The identifier will be present in the Certificate under the "Publisher provided data" section.

Flagging Sensitive Data Fields

The TrustedForm script allows you to flag any or all sensitive fields of consumer data. When this feature is used, we apply a cryptographic hash to the flagged fields making it unfeasible for anyone, including us, to store, retrieve, reverse-engineer, or utilize the data that was volunteered by the end-user in that flagged data field.

When a TrustedForm video replay is viewed, the data in a flagged field will be seen only as a series of asterisks. In order for you to protect sensitive data and still have a recognizable certificate for compliance, we recommend only flagging fields that truly collect sensitive data.

Verify the Script Has Been Implemented Properly

Load the HTML page using Firefox, Chrome, or Safari and view the form using the DOM inspector (right click and choose "Inspect" or "Inspect Element").

Search for the field xxTrustedFormCertUrl in your form – this will be different if you changed the field variable. If you find it, you have successfully set up the client-side portion of the TrustedForm integration.

NOTE: View Source doesn't work in most browsers to verify the field has been added. You must inspect the source as described above. See the example below of where to find what you're looking for.

TrustedForm Snippet Example

Set up the Server-Side Integration

The value stored in the xxTrustedFormCertUrl field is what identifies and points to a consumer's specific experience. Therefore, it must be provided to the recipient(s) of the lead (i.e. the lead buyer). Because of this, it is critical that your systems captures this field along with the rest of the form data.

If you are posting directly to a LeadConduit account, there is no need to add the xxTrustedFormCertUrl field to the LeadConduit campaign. LeadConduit will automatically capture this field as one of the system fields.

If you are capturing the lead data in your database or lead management system before delivering it, you will need to add the xxTrustedFormCertUrl field so you can capture the TrustedForm Certificate URL.

Verify the Certificate URL is passed properly

Once you have everything set up, check with the party receiving your leads. Are they receiving the Certificate URL value along with their lead data? If not, make sure the server is capturing the field. If the offer is brokered, then the broker must also pass along the Certificate URL to the recipient. If the recipient is receiving the Certificate URL, then the implementation of TrustedForm is complete.

If you are generating leads to be sold in a ping/post auction ensure that the Ping URL is being received during the ping and Certificate URL during the post. Read more