An HTML form is used to collect user input and submit it to a server. The <form> element is a container for input controls — text fields, checkboxes, radio buttons, file uploads, and submit buttons — and the attributes on the <form> element itself determine what happens when those controls are submitted.
Understanding form attributes is foundational to both front-end development and back-end integration. Whether you are building a contact form for a Next.js application, a file upload interface, or a complex multi-step form for a government portal, every attribute described here has a direct effect on the HTTP request that leaves the browser.
This guide covers all eight core <form> attributes, their default values, accepted values, and the equivalent property on the HTMLFormElement JavaScript API. Where relevant, we note how each attribute interacts with others.
Attribute Reference Table
Attribute
Default
JS property
action
Current page URL (empty string)
.action
method
get
.method
enctype
application/x-www-form-urlencoded
.enctype
target
_self
.target
novalidate
Absent (validation enabled)
.noValidate
autocomplete
on
.autocomplete
name
None
.name
rel
None
.rel
action
Syntax
HTML
<formaction="URL"><!-- form controls --></form>
The value must be a valid relative or absolute URL. All three of the following are valid:
The default value is an empty string (""), which causes the browser to submit to the URL of the document containing the form — the current page. This is identical to setting action="" explicitly. If you want to submit to the same page, the cleanest approach is to omit the attribute entirely.
A submit button can override the form's action using the formaction attribute. This lets a single form submit to different endpoints depending on which button is clicked:
Read or set the action URL via HTMLFormElement.action:
JavaScript
const form =document.querySelector('form');// Readconsole.log(form.action);// "https://example.com/contact/submit"// Set dynamicallyform.action='/new-endpoint';
Note: Reading form.action always returns the resolved absolute URL, even if the HTML attribute was a relative path.
Even when correctly defined, the action attribute can fail due to subtle issues in frontend configuration, backend routing, or browser security policies. The following are the most common causes developers encounter in production systems.
method
Syntax
HTML
<formmethod="get | post | dialog">
Accepted values
Value
Behavior
When to use
get (default)default
Appends form data to the URL as query parameters (e.g., ?key=value).
Search forms, filters, and any query you want to be bookmarkable.
post
Sends form data in the HTTP request body; data is not visible in the URL.
Login screens, contact forms, file uploads, or when handling sensitive data.
dialog
Closes the nearest ancestor <dialog> element and sets its return value to the submitted data.
Forms located specifically inside <dialog> elements.
GET example
HTML
<formaction="/search"method="get"><inputtype="text"name="q"placeholder="Search..."><buttontype="submit">Search</button></form><!-- Submits to: /search?q=your+query -->
POST example
HTML
<formaction="/login"method="post"><inputtype="email"name="email"><inputtype="password"name="password"><buttontype="submit">Log in</button></form><!-- Credentials are sent in the request body, not the URL -->
JavaScript API
JavaScript
const form =document.querySelector('form');console.log(form.method);// "get" or "post"form.method='post';
You can override method per submit button using the formmethod attribute, exactly as with formaction.
If you forget to set enctype="multipart/form-data" on a form with a file input, the server receives only the filename string, not the file's binary content.
Quick answer: The novalidate boolean attribute disables native browser form validation when present. This is useful when you are implementing custom validation logic in JavaScript or a framework like React.
Syntax
HTML
<formaction="/submit"method="post"novalidate>
Because novalidate is a boolean attribute, its mere presence — regardless of value — activates it. The following are all equivalent:
Browser-native validation (required fields, email format, min/max lengths) runs before the form submits. If you have a JavaScript validation library — Zod, Yup, React Hook Form, Formik — you typically want to handle all validation yourself and suppress the browser's built-in UI. Add novalidate to the form element to do this cleanly.
JSX
{/* React Hook Form pattern */}<formonSubmit={handleSubmit(onSubmit)}noValidate><input{...register("email",{required:true,pattern:/^\S+@\S+$/i})}/>{errors.email&&<span>Email is required</span>}<buttontype="submit">Submit</button></form>
Per-button override
You can also suppress validation for a specific submit button using formnovalidate on the button — for example, a "Save draft" button that does not require all fields to be complete:
Individual <input> elements can override the form-level setting using their own autocomplete attribute. The <input autocomplete> attribute accepts a richer vocabulary of tokens (e.g., email, current-password, one-time-code) that tell the browser exactly what type of data a field expects.
JavaScript API
JavaScript
const form =document.querySelector('form');console.log(form.autocomplete);// "on"form.autocomplete='off';
// Via document.forms collectionconst form =document.forms['contactForm'];// Or equivalentlyconst form =document.forms.contactForm;// Trigger submission programmaticallyform.submit();
The name attribute on the <form> element is distinct from the name attribute on input elements. On inputs, name determines the key in the submitted form data payload. On the form itself, name is purely an identifier for script access.
JavaScript API
JavaScript
const form =document.querySelector('form');console.log(form.name);// "contactForm"
Prevents the newly opened page from accessing the window.opener property of the original page. This is a critical security measure for target="_blank".
noreferrer
Instructs the browser not to send the Referer HTTP header to the destination. It also automatically triggers the noopener behavior.
external
Informs the browser and search engines that the link leads to a document on a different domain/site.
help
Signals that the linked resource contains help or documentation specifically related to the current context.
JavaScript API
JavaScript
const form =document.querySelector('form');console.log(form.rel);// "noopener noreferrer"form.rel='noopener';
While not attributes of <form> itself, <fieldset> and <legend> are elements commonly used inside forms to group related controls. A <fieldset> visually and semantically groups a set of controls; <legend> provides a caption for that group. This grouping is especially important for accessibility — screen readers announce the legend text before reading each field inside the fieldset.
HTML
<formmethod="post"action="/preferences"><fieldset><legend>Do you agree to the terms?</legend><label><inputtype="radio"name="terms"value="yes"> Yes
</label><label><inputtype="radio"name="terms"value="no"> No
</label></fieldset><buttontype="submit">Continue</button></form>
HTMLFormElement JavaScript API
Every attribute described above has a corresponding property on the HTMLFormElement interface, accessible after selecting the form with document.querySelector, document.getElementById, or document.forms.
HTML attribute
JS property
R/W
Type
action
form.action
R/W
String (resolved absolute URL)
method
form.method
R/W
"get" | "post" | "dialog"
emctype
form.enctype
R/W
String (MIME type)
target
form.target
R/W
String
novalidate
form.noValidate
R/W
Boolean
autocomplete
form.autocomplete
R/W
"on" | "off"
name
form.name
R/W
String
rel
form.rel
R/W
String
—
form.elements
R
HTMLFormControlsCollection
—
form.length
R
Number (count of controls)
Programmatic submission and reset
JavaScript
const form =document.getElementById('myForm');// Submit without triggering the submit eventform.submit();// Reset all fields to their default valuesform.reset();// Check validity without submittingconst isValid = form.checkValidity();// returns booleanform.reportValidity();// shows native validation UI
1. The Legacy HTML Approach This traditional method uses the action attribute to point toward a specific server-side URL, a pattern common in older Drupal or PHP-based systems.
HTML
<formaction="/api/v1/submit-data"method="POST"><labelfor="email">Email:</label><inputtype="email"id="email"name="email"required/><buttontype="submit">Submit to Server</button></form>
2. The Modern Next.js Server Action Utilizing our modern tech stack (Next.js ^16.1.2 and TypeScript ^5.0.4), we bridge the gap between backend engineering and seamless human interaction. This approach eliminates the need for manual API route management and provides end-to-end type safety.
/apt/actions.ts
// app/actions.ts - Secure Server-Side Logic'use server'import{ revalidatePath }from'next/cache';exportasyncfunctionhandleSecureIntake(formData: FormData){const email = formData.get('email');// Logic forged in high-stakes environments like BNY Mellon [cite: 62, 98]// Process data securely with "correct-by-design" rigor [cite: 70]console.log(`Processing secure intake for: ${email}`);// Trigger on-demand ISR via your revalidateCache route [cite: 14, 26, 55]revalidatePath('/[locale]/marketing-pages');}// components/ModernForm.tsx - Seamless Frontend Interactionimport{ handleSecureIntake }from'../app/actions';exportdefaultfunctionModernForm(){return(<form action={handleSecureIntake} className="bg-background-light p-6 rounded-lg"><input
type="email" name="email" placeholder="Enter NYC Enterprise Email" className="border-border text-primary-dark"/><button type="submit" className="bg-primary hover:bg-primary-dark text-white"> Execute Server Action
</button></form>);}
Secure Server-Side Logic
Enterprise form patterns for NYC web applications
For teams building web applications in New York City's fintech, healthcare, and government sectors, HTML form attributes take on additional significance. Several common patterns are worth noting.
Fintech and financial services — Applications serving firms in the BNY Mellon ecosystem typically require autocomplete="off" on fields containing account numbers or routing numbers, novalidate on forms with custom validation rules sourced from DROOLS decision tables, and enctype="multipart/form-data" on document upload workflows. See our BNY Mellon case study for real-world context.
E-government portals — NYC government web applications must comply with WCAG 2.1 AA. This means every <input> requires a properly associated <label>, and <fieldset>/<legend> groupings are mandatory for radio and checkbox groups. Form action URLs must point to HTTPS endpoints, and method="post" is required for any form collecting personally identifiable information. For deeper guidance, see our article on e-government website development best practices.
Healthcare platforms — Electronic health record systems and patient intake forms in the NYC metro area operate under HIPAA constraints. File upload forms must use enctype="multipart/form-data" and submit to authenticated endpoints. Form target should never be _blank for forms containing PHI. See our article on scaling behavioral health EHR systems in NYC.
Universal Equations architects enterprise-grade form handling, AEM Forms integration, and DROOLS-based validation logic for organizations across the New York metro area. Get in touch to discuss your project.
Frequently asked questions
The <form> element has eight core attributes: action (where to submit), method (HTTP method), enctype (encoding type), target (where to display the response), novalidate (disable native validation), autocomplete (browser autofill behavior), name (form identifier for JavaScript), and rel (relationship to the action URL). It also inherits global HTML attributes such as id, class, and data-*.
The default value of the action attribute is an empty string (""), which causes the browser to submit the form to the current page URL. Omitting the action attribute entirely produces the same behavior.
With method="get" (the default), form data is appended to the action URL as query parameters — visible in the browser's address bar and saved in browser history. With method="post", data is sent in the HTTP request body — not visible in the URL. Use get for searches and filters; use post for logins, contact forms, and any form handling sensitive or large data.
The novalidate boolean attribute disables the browser's built-in form validation. When present, the form can be submitted even if required fields are empty or input patterns are not matched. This is typically used when custom JavaScript validation — via libraries like React Hook Form or Zod — replaces native browser validation.
The enctype attribute specifies the MIME type used to encode form data during a POST submission. The default (application/x-www-form-urlencoded) works for most text-based forms. When a form includes a file input (<input type="file">), enctype must be set to multipart/form-data, otherwise the server receives only the filename, not the file contents.
Access and modify the form's action via HTMLFormElement.action:
const form = document.querySelector('form'); form.action = '/new-endpoint';
// Or conditionally: if (userIsAdmin) { form.action = '/admin/submit'; }
The action attribute specifies the URL or endpoint where the form data should be sent for processing upon submission. In modern headless architectures, this is often a serverless API endpoint or a Next.js Server Action.
The HTTP Content-Security-Policy (CSP) form-action directive restricts the valid URLs that can be used as the target of HTML form submissions. It is a critical architectural requirement for preventing Cross-Site Request Forgery (CSRF) attacks.
While the 'action' attribute is placed on the <form> tag to define the default submission URL, the 'formaction' attribute is placed on specific submit buttons (<input type='submit'> or <button>) to override the default action for that specific button.
