Support form attachments (files) are publicSOLVE
Jul 16, 2019 10:07 AM - edited Jul 16, 2019 10:22 AM
We are using a Support Form to give the option to our customers to open a new Ticket. Our Support Form contains a File Upload from Ticket properties. Every time a customer creates a Ticket with the Form and adds an attachment, the file is added to File Manager and therefore it is public.
We thought that was an unexpected behaviour and added a new issue with Hubspot Support. First they said:
"The file upload field (for ticket property) will create an attachment and it is NOT PUBLICLY accessible."
But then, when we probed that was not how it was working, they said:
"They were able to confirm that this is working as designed so when file is uploaded through the Support form into File Manager, file is expected to be publicly visible and there is no need for HubSpot log in to see the file.".
Considering this, we were wondering how people were working with Support Forms. Do you allow file uploads? Do you allow your customer's to upload files which will be publicly available?
The thing is that, unless you are uploading via the Support Form pictures of cats, you are likely:
- Exposing your customer's data publicly (indexed and crawled by search engines).
- Clashing with Hubspot's Term of Service (https://legal.hubspot.com/terms-of-service) by adding sensitive data to Hubspot (screenshots, log files, etc.).
So, how do you use file uploads to allow customers to open a ticket without falling in the ones above?
Solved! Go to Solution.
Jul 30, 2019 5:58 PM
Thanks for pointing this out. This is an issue that we've been aware of and have been actively working on fixing for the past while. The fix should be published soon.
For a little more detail: Previously, files from form submissions were uploaded to the file manager, and were accessible at a ‘normal’ File URL, something like:
while it’s possible that these files could have been found and indexed by a crawler randomly, it was unlikely without being on live content (pages).
We’re changing this so that the files will only be accessible via temporary, signed URLs - only accessible to authenticated HubSpot users (from the file manager or CRM object associated to form submission). This will ensure the files are not crawled/indexed.