Is HubDB good for private content?

MichaelDev · ‎Nov 3, 2020

I'd like to store private data in a HubDB table but I'm confused about the security risk.

In the Academy course, it says that sensative data should NOT be stored in a HubDB because it's available to the public (this course video at the 1:33 mark).

When I click publish, it warns me that... "Publishing your HubDB table will make all of the information stored in the table public and accessible to anyone via the public API."

That makes sense but then I see a table setting that allows me to disable the "Allow public API access" feature (see screenshot below).

If I disable that feature then only authenticated API requests can access the table content. From what I understand, authenticated requests would only come from my apps or ones that I explicitly allow. Shouldn't that be secure enough to protect the data within the table?

I'm sure there's a security risk that I'm missing but I'm having trouble finding it. Why is it a bad idea to store sensative information if I have "Allow public API access" turned off?

Thanks!

dennisedson · ‎Nov 4, 2020

Hi@MichaelDev !

You are correct that the information will not be publicly available on the API. It will be available to anyone who has the API Key or any app that has been given the correct scopes for OAuth.

But in terms of truly being secure, I guess it really depends on what you are storing and how much should not be viewable by anyone. For example, I fill out a form and it asks me to set up a password. Should that be viewable to anyone including anyone who has access to the HubSpot portal with permissions to HubDB? Unfortunately, it is all or none with HubDB permissions in your portal so if you had other databases that some people should see and others shouldn't, there is no way to restrict per database.

I think I am beginning to ramble here. Long story short-- it all depends on what the data is and how many people are in your portal with access.

View solution in original post

MichaelDev · ‎Nov 4, 2020

Thanks for the reply Dennis and what you described makes sense to me. This helps me understand the considerations I should make before storing content that I'd want to be prviate in a HubDB.

dennisedson · ‎Nov 4, 2020

Hi@MichaelDev !

You are correct that the information will not be publicly available on the API. It will be available to anyone who has the API Key or any app that has been given the correct scopes for OAuth.

But in terms of truly being secure, I guess it really depends on what you are storing and how much should not be viewable by anyone. For example, I fill out a form and it asks me to set up a password. Should that be viewable to anyone including anyone who has access to the HubSpot portal with permissions to HubDB? Unfortunately, it is all or none with HubDB permissions in your portal so if you had other databases that some people should see and others shouldn't, there is no way to restrict per database.

I think I am beginning to ramble here. Long story short-- it all depends on what the data is and how many people are in your portal with access.

quentin_lamamy · ‎Nov 3, 2020

@dennisedsonit's for you 🙂

APIs & Integrations