By default, Heroic Inbox will create a folder where attachments in incoming and outgoing messages will be stored. These folders will be protected automatically in most cases using .htaccess files, preventing direct access.
If your site does not use a configuration that uses .htaccess, such as nginx, or you see a message warning you to verify that attachments should not be directly accessible, this should be reviewed.
It is vital you regularly test direct access to attachments, to ensure these are suitably protected.
NGINX Configuration (Deny all direct access)
location ^~ /wp-content/uploads/desk {
deny all;
return 404;
}You may need to configure the NGINX rules differently if you wish to add conditional viewing of the attachments via the WordPress admin / media screens.