Hi all, I have a quick question: I know there used to be serious concerns about the security of attachments in Airtable before Airtable changed the way it handled download URLs. Was this change sufficient to consider attachments secure?
Specifically, we have a very simple application form done through Airtable for a grant opportunity. We would like to add an attachment field to collect a confidential document (tax returns) when people submit their form. Should we instead find an alternative way for these documents to be submitted more securely?
The security issue before Airtable implemented expiring attachment urls was that the attachment urls never changed, and anyone with the url could get the attachment, even if they had no access to the base and even if the attachment was deleted from the base.
Under the current system, there are two types of attachment urls: urls that require logging into the base, and public urls that expire after a few hours. If you accidently expose a public url to someone, they will have only a few hours to get the attachment, which is a much, much, much smaller security risk.
In your particular case, unless you do something that exposes the expiring attachment urls, the only people who can see the attachments are people who are logged in with access to the attachment field. If you trust everyone with access to the attachment field, I think you are okay. Even under the old system, you would have been okay if you never exposed the attachment urls.