FreeForm can certainly be used on a secure site (SSL). But, like EE, it needs a little tweaking to behave properly in that environment.
There is a recommendation in this thread for using a PHP wrapper to re-write the form, replacing HTTP with HTTPS. But that has several problems (including trashing early-parsed global variables in EE). A much better solution that redirects the browser to the HTTPS URI is available for EE is available in the Lockdown plugin.
Lockdown manages most things but not
1. The header files (the CSS and Javascript calls) if you’ve used the standard EE way to call them using the {my_template_group} variable.
2. The URL of the <FORM> itself—the location at which the form is processed—found in the hidden ‘RET’ field on your page source
The problem with 1. is that the browser will complain to the user that SOME of the page is made from non-secure elements. This makes the user more nervous than she needs to be.
But fixing 1. is easy. Make a global template variable (Templates tab in the EE Control Panel) called e.g. {secure_path} and substitute that variable for {my_template_group} in the templates that appear on secured pages. The {secure_path} variable should contain a hard-wired path using an HTTPS URI for your CSS or Javascript template such as ‘https://www.mysecuresite.com/index.php/secure_weblog/’. The header link in your template would look like this: <link rel=’stylesheet’ type=’text/css’ media=’all’ href=’{secure_path}/my_base_css’ /> etc etc.
Fixing 2. is important because if you use a file upload, for example, in your form your user will get a complaint from the browser that the upload is insecure. Fixing 2. is also easy but a bit messier than fixing 1. You need to make a change to the code (version 2.5.9) of mod.freeform.php (in the Modules directory of your system directory). At line 478 you need to change the way FreeForm figures out the RET value. Using Lockdown to redirect the page to an HTTPS URI, I substituted this (longer) line for line 478:
$this->data['RET'] = (array_key_exists('HTTPS', $_SERVER))? 'https://' . substr($FNS->create_url($IN->URI), 7):$FNS->create_url($IN->URI);
The code tests whether the global SERVER array contains an HTTPS key. This is a good (but, alas, not bulletproof) way to test, on APACHE at least, whether the page is being served from an HTTPS URI. If you’re running under Lockdown, the key should show up OK. The next part of the expression substitutes an ‘https://’ string into the first part of the URI returned by EE’s ‘INPUT’ module. If the SERVER array does not contain an HTTPS key, then the final part of the expression does what mod.freeform.php would have done anyway; grab the un-modified URI from the INPUT module.
This is a hack. Your mileage may vary. No guarantees. Hope it helps.
Best,
Peter
