This is an old problem, quite a few security researchers already wrote about. But repeating things, helps learning them (especially me). In MageSetup we read posted agreements (terms and conditions) and compare them with all the agreements we expect. This looks like that: $requiredAgreements = $this->_getCustomerCreateAgreements(); $controller = $observer->