HomeDev GuideAPI Reference
Dev GuideAPI ReferenceUser GuideLegal TermsGitHubNuGetDev CommunitySubmit a ticketLog In

Configure Optimizely Forms

Explains how to configure Optimizely Forms.



Optimizely Forms is only supported by MVC-based websites and HTML5-compliant browsers.

Optimizely Forms stores its fundamental configuration in the  _protected/EPiServer.Forms/Forms.config file.


Breaking change

Forms.config was migrated to appsettings.json. From version 5.4 onward, Optimizely Forms uses appsettings.json file to store its fundamental configuration. You can upgrade and use your former Forms.config but Optimizely will stop supporting the file in the next major version.

To use the new configuration for Forms, add a Forms section your appsettings.json like the following example.

  "EPiServer": {
    "Forms": {
      "FormsConfig": {
        "VisitorSubmitTimeout": 1,
        "DisableFormCookies": false,
        "DataExportBlobProviderName": "DefaultDataExportBlobProvider",
        "SerializingObjectUsingNameValueFormat": true,
        "SendMessageInHTMLFormat": true,
        "MinimumAccessRightLevelToReadFormData": "Edit",
        "CoreController": "/EPiServer.Forms/DataSubmit",
        "DefaultUploadExtensionBlackList": "asp,aspx,asa,ashx,asmx,bat,chm,class,cmd,com,config,dll,exe,hta,htr,htw,jse,json,lnk,mda,mdb,msc,msh,pif,printer,ps1,ps2,reg,rem,scf,scr,sct,shtm,shtml,soap,stm,svc,url,vb,vbe,vbs,vsix,ws,wsc,wsf,wsh,xamlx,htm,html,js,jar",
        "FormElementViewsFolder": "~/Views/Shared/ElementBlocks",
        "WorkInNonJSMode": false,
        "InjectFormOwnStylesheet": true,
        "InjectFormOwnJQuery": true,
        "RenderingFormUsingDivElement": false,
        "PreconfiguredFeeds": [
            "Id": "Your Id",
            "Description": "Your Description",
            "Url": "Your Url",
            "KeyXPath": "Your KeyXPath",
            "ValueXPath": "Your ValueXPath",
            "CacheTimeout": 90
      "FormsPermanentStorageProvider": {
        "DefaultProvider": "DdsPermanentStorage",
        "Providers": {
          "DdsPermanentStorage": {
            "Type": "EPiServer.Forms.Core.Data.DdsPermanentStorage, EPiServer.Forms.Core",
            "Parametters": {}
          "DdsEncryptedPermanentStorage": {
            "Type": "EPiServer.Forms.Core.Data.Internal.DdsEncryptedPermanentStorage, EPiServer.Forms.Core",
            "Parameters": {
              "CryptoEngineType": "EPiServer.Forms.Crypto.AzureKeyVault.Internal.AzureKeyVaultCryptoEngine, EPiServer.Forms.Crypto.AzureKeyVault",
              "KeyIdentifier": "Your KeyIdentifier",
              "TenantId": "Your TenantId",
              "ClientId": "Your ClientId",
              "ClientSecret": "Your ClientSecret"

As an alternative method, you can also config your Optimizely Forms from Startup.cs file in ConfigureServices function with following syntax:

services.Configure<FormsConfigOptions>(options => options.CoreController = "Your Controller");
services.Configure<FormsPermanentStorageProviderOptions>(options => options.DefaultProvider = "Your DefaultProvider");

You need to add the lines above after your services.AddCmsHost() for it to take effect if you still have your Forms.config in your project. The final value will be the value in appsettings.json however.

Restrict access to data

The following configuration restricts who can view submitted form data. Edit is the default; an editor should at least have Edit access rights on the form content to view SubmissionData.


Suitable values for minimumAccessRightLevelToReadFormData are as follows:

NoAccess = 0, Read = 1, Create = 2, Edit = 4, Delete = 8, Publish = 16, Administer = 32, FullAccess = 63

For example, if you change the access rights to Publish, only a user who has Publish, Administer and FullAccess access rights on that form can see the SubmissionData.

Send emails



To send email after a site visitor submits a form, you must modify the appSettings.json settings for your website as described in Configure your email server.

Send email in HTML format, otherwise, it uses plain text.


File uploads

By default, the FileUploadElement does not let a visitor upload the following types of file extensions.

defaultUploadExtensionBlackList = "asp,aspx,asa,ashx,asmx,
chm, class, cmd, com, config,
hta, htm, html, htr, htw,
jar, js, jse, json,
mda, mdb, msc, msh,
pif, printer, ps1, ps2,
reg, rem,
scf, scr, sct, shtm, shtml, soap, stm, svc,
vb, vbe, vbs, vsix,
ws, wsc, wsf, wsh,

Use controllers

Optimizely Forms is block-based and stays in a page. Without JavaScript, Forms post data from a visitor to its page. With JavaScript, Forms post data from a visitor to its CoreControllerEPiServer.Forms.Controllers.DataSubmitController is the default CoreController, which is a normal ASP.NET MVC controller. If you want to use your own controller, you must map the route in Global.asax to your controller, and tell Forms to submit data to your controller by changing the following configuration.


Default location for view templates

Specify the default location to search for ElementBlocks' view templates. A developer also can override this behavior by implementing ICustomViewLocation or inheriting from CustomViewLocationBase.


Forms and JavaScript environments

Optimizely Forms detects the JavaScript capability of the browser to determine its behavior.

  • Using an HTML5 JavaScript-enabled browser, visitors have a better and richer user interface experience.
  • Working with non-JavaScript browsers, Optimizely Forms has to use server-side redirection and disable some features such as interaction and validation.

In some situations, you can force Forms to work in a non-JavaScript environment by setting this configuration to true.


Forms and jQuery

Optimizely Forms requires jQuery 1.7.2+ to provide a better experience in view mode (interaction, steps navigation, validation, save/load data to localStorage, etc). If your website already has jQuery 1.7.2+, you can save some payload and network transmission for your visitors by telling Optimizely Forms not to inject its jQuery instance. Forms uses the site’s jQuery instance without a problem.


Disable the default stylesheet

Optimizely Forms has a default stylesheet (EPiServerForms.less), using BEM methodology to name CSS classes and decorate HTML element tags; it is a fundamental, minimal .less file, and easy to modify. However, if you prefer not to use this default stylesheet, you can disable it by changing injectFormOwnStylesheet to false.


Configure the submit cookie timeout

Configure for days that Forms keeps the state of relation (in visitor's cookie)  between Visitor-Forms-Submission. This affects the progressive submission cookie, and the visitor identification cookie.


Render forms as a <div> tag

A form is rendered as a <form> tag in view mode by default. From version 3.1, if you want to render the form as a <div> tag, set this configuration to true.


Use Webhook receivers

From version 4.3, you can set up the kind of data format used before sending data to a webhook receiver by using:


The default value of this key is true, meaning you should use that JSON object data type to communicate with webhook receivers. The key-value dictionary data format is used if you use the value false.

Disable form cookies for GDPR

DisableFormCookies was introduced into Forms configuration to provide better GDPR compliance for your sites. Enable this option to prevent cookies from being added to site users.



Allow anonymous submissions are required for Forms submitted when DisableFormCookies is enabled because a user without cookies is not identified and is treated as anonymous.


Hide Partial Submissions from Admin or Edit View (GDPR Compliance)

HidePartialSubmissions was introduced into Forms configuration in version 5.5.0 to provide better GDPR compliance for your sites. Enable this option to hide partial submission data from external UI views such as form submission history and exported data and disable partial execution from actors. Also, enable this option to set the retention policy of partial data to a minimum period of one day.



Enabling this option will disable all actors partial execution in multi-step forms except base SaveDataToStorageActor to ensure basic functionality


Related blog posts