Receiving Confidential Information via Forms

Hi, would like to understand the current CMS functionality regarding secure data.

For background, we want to create a login page which is unique to each user. Within the login page, the user would add contract details to a form and upload supporting files (.pdf) to the CMS. This information would then be delivered via webflow’s native API to DropboxSign.

The information and supporting files would be sensitive information.

Is webflow’s default CMS able to keep this information private? There have been other threads in the past that make it unclear:

Thanks.

Hi @Eskril :wave: Welcome to the forum.

Short answer, no.

Specific fields in the CMS automatically publish your files to a public CDN before even saving the CMS item.

Then you have the issue of any fields you attach to a CMS Collection Page being public by default. There are options (Memberships, password protection) but it doesn’t sound like they meet your needs.

At a high level, that’s just not what the Webflow CMS was designed for.

Instead you should use a third party solution that claims the level of security you need to upload and manage your files.

Hi @ChrisDrit, Thanks for the quick response.

2 questions:

  • Is it correct to say that any document that a visitor submits through a Webflow contact us page (resume, business proposal, etc.) is immediately indexed and can be found via google?

  • Back to the original example: Do you know if it would be possible to achieve this using a completely locked-down site, with a homepage only containing login fields, then all forms and submissions contained in the member’s page? I guess I’m a little confused how fields like user’s contact info can be kept confidential while other user information would be somehow public.

Thanks again for the help.

Ideally, we’d like to have one page

IMHO, you really should be looking to handle this off Webflow. One way to still have the site on Webflow and handle secure/sensitive document processing is to use a third-party for that part. I have used JotForm for similar use cases and they have a DocuSign widget to simplify the process. Fact is they also provide HIPAA compliant form processing as well.

It depends on how you’re collecting that document. Webflow file upload? Passing it off to Zapier / Make and then to a 3rd party? Going from Zapier into the Webflow CMS? Just using a 3rd party form uploader?

I know it feels like you’re asking a simple question and I (or someone) should have a simple answer, but it’s really complicated. It’s all dependent upon “how” you’re doing that file upload and where that file lives.

Sorry that’s not more helpful :grimacing:

I always try my best to make my answers actionable and that one was not.

You have to think about it like this…

If you have a password protected page (and I’m referring to this, and not Webflow Memberships - though everything I’m saying applies equally).

Webflow protects the page and the content that is on the page.

Essentially just the text on the screen.

When you include images or files, those aren’t actually on the page.

Instead, they’re linked from that page to some external url.

When the web browser see’s that, it downloads that asset (via the url given) and displays it on the page for you.

But that asset (image, document, etc…) lives somewhere else, and that somewhere else is not password protected in Webflow. There are exceptions, I mention down below, but generally speaking this is how it works.

Examples…

The Asset Manager

Upload any file to it and it goes straight to the public CDN. You may have an image element on a password protected page, or even your entire site, but that element links to an image on a public CDN that anyone can access.

I’ve uploaded an image to the asset manager, added that image to an Image Element on the canvas, and if you grab the link it uses:

Hosted on their public CDN.

I could password protect that page, but that image is still public.

Same goes for documents.

The Exception

The one exception with Webflow is their file upload feature. Those assets are password protected, but they are only accessible by collaborators invited into your account accessible only once they are logged into Webflow.

Being logged into Webflow is how they protect those assets.

The CMS

How about uploading a file to the CMS File field?

When you add a file to that specific field in the CMS, it’s uploaded to the public CDN.

The CMS Image field?

Same thing, it’s immediately uploaded to the public CDN.

How do I know all of this?

It’s super easy to test.

  • Open up the CMS, create a new Collection, and add a File field to it.

  • Add a document to that field.

  • You don’t even have to create the item.

  • You’ve just uploaded that file to the public CDN.

Just adding it without event creating the new item automatically uploads it to the public CDN.

When you actually create the item, the CMS only stores the url to the public CDN, not the PDF itself.

Here’s the file, opened in a private browser, while not logged into my Webflow account.

Same goes for the Image field.

Security Vulnerability?

Is this a security vulnerability?

No.

It’s just how Webflow works.

They’ve designed it so that when you create a website all assets are hosted globally across their content delivery network (CDN).

This is a good thing. This is the magic behind a speedy site. They are doing a great job and you definitely want this.

…unless you want those assets protected.

It’s just not a service they offer. People don’t normally use Webflow for this purpose.

That was long-winded but hopefully it helps!

Thanks @ChrisDrit and @webdev for the very thoughtful answer. I’ll checkout JotForm.

Based on the information, it seems like I’ll need to create a member login area, where each member can submit their own information via a separate form ‘app’ or ‘widget’ within the webflow page.

It also seems that regular submissions for resume’s, etc. should be done through a similar app or widget as a matter of best practice to protect users’ content.

If anyone has suggestions on the best providers, I’m really appreciate the suggestions.

Thanks.

@Eskril ; I know you want to build it your own, but you might consider something like http://www.microspace.co. I know this is not the place to start promoting products, but it looks like it matches your needs and we already help large organisations onboarding employees using our platform.

Feel free to get in touch… or happy coding :wink: