Form and Consent Auditing in Websites: A Case Study with webform-privacy-consent-scanner

On institutional websites, forms are often added “right away” with good intentions — yet when they fall outside the supervision of the Information Security Office (ISO), they can expose the organization to risk.

Based on this real need, I developed an open-source auditing tool: webform-privacy-consent-scanner.

The tool scans websites to detect the presence of Google / HubSpot / Microsoft Forms and CMPs (Cookiebot, OneTrust, Efilli), identifies consent flows, and generates CSV/JSON reports.

It also includes a Playwright mode for dynamic elements and a configurable –wait option for delayed loading.

Challenges Encountered

  • Forms or CMPs injected via GTM: may not appear during static checks.
  • Access restrictions: some sites block fetch; relying on a single method is risky.

    • Developed Solution

    Hybrid Scanning Approach

    Wide Detection Coverage

    Outputs

  • Generates CSV / JSON / filterable text reports, which can be further processed with filter.mjs for attribute-based filtering.

    • Case: Rapid Inventory & Potential Form Detection

    In the first internal evaluation scan, indicators suggested that some pages might contain HubSpot and Google Forms components.

    These findings were shared with the Information Security Office (ISO) to help update the current inventory.

    The shared outputs provide initial visibility into the locations of potential forms. Final verification and inventory updates will proceed under ISO coordination.

    Validation of CMP flows (banner, preference center, record/evidence) and any necessary improvements will be handled within ISO-directed processes.

    This study focuses on detection and reporting; the next steps will be defined and executed by the organization’s relevant teams.

    What Is a CMP and Why Does It Matter?

    A CMP (Consent Management Platform) ensures that users give explicit, revocable consent for data processing purposes, and that such consent is properly documented.

    It’s not just a “banner” — it includes:

    CMPs also safeguard consent continuity during form display and submission.

    Sample JSON Output

        {
    "url": "https://example.edu/contact",
    "detected_forms": ["Google Form"],
    "detected_cmp": ["OneTrust"],
    "consent_status": "detected",
    "timestamp": "2025-10-10T13:24:00Z"
    }

    Quick Start

    The CLI includes options such as --dynamic, --wait, --cmp, --concurrency, and --timeout. Default values and examples are available in the README.

    Best Practices (Short Checklist)

    Responsible Usage (Recommended Framework)

    Unplanned but Possible Enhancements

    npm version monthly downloads GitHub stars license
  • Development of Koc University Campus Access Management System
  • Koç University Mobile Application Overview
  • Workspace: A Smart Solution for Hybrid Work Management
  • Fund Raising Activities at Koç University
  • KUHub ERP Project at Koç University: Streamlining Education Management and Reducing Costs
  • Form and Consent Auditing in Websites
  • Building a Lighthouse Performance Monitor: Tracking Web Performance Over Time
  • Python tool that retrieves THE World University Rankings