Insites Docs Instance AssetsFile Upload Security

File Upload Security

Last updated on April 07, 2026.

Overview

The Insites platform provides a secure file upload system through the Assets module. All files uploaded via the admin panel are stored in Amazon S3 cloud object storage and served as static assets. This architecture ensures that uploaded files cannot be executed on the server, regardless of their file type or extension.

This page explains how the platform handles uploaded files and the security measures in place.

Storage Architecture

When a file is uploaded through the admin panel's asset management interface, the following process occurs:

  1. The file is received by the platform and transferred to Amazon S3 object storage.
  2. The file is stored as a static binary object. S3 treats all files identically, regardless of extension (.php, .js, .exe, .png, .pdf, etc.).
  3. When the file is requested, it is served directly from S3 via a Content Delivery Network (CDN) as static content.

At no point in this process is the file content parsed, interpreted, or executed by any server-side runtime. There is no PHP interpreter, no script execution engine, and no application server in the file delivery path.

Why Uploaded Files Cannot Be Executed

The platform's file storage is fundamentally different from traditional web server file storage where uploaded files might be placed in a directory served by an application server (e.g., Apache with mod_php). Key differences include:

Traditional Web Server Insites Platform (S3 Storage)
Files stored on the web server filesystem Files stored in isolated cloud object storage (S3)
Server may interpret file content based on extension All files served as static binary data regardless of extension
Uploaded PHP/script files could potentially execute No runtime environment exists to execute any uploaded file
File execution depends on server configuration Execution is architecturally impossible, not just disabled

A file with a .php extension uploaded to the Insites platform is treated identically to a .png or .pdf file. It is stored as inert data and served as a static download. There is no mechanism by which the file content could be interpreted or executed.

Access Controls

The asset upload functionality is protected by the following access controls:

  • Authentication required: Only authenticated users with admin panel access can upload files.
  • Role-based permissions: File upload access can be restricted through the Permissions module, allowing administrators to control which user roles can upload, modify, or delete assets.
  • Audit trail: All file upload actions are logged in the Event Stream, recording who uploaded the file and when.

Summary

The Insites platform's asset upload system is secure by design:

  • All uploaded files are stored in Amazon S3 cloud object storage
  • Files are served as static content via CDN with no server-side execution
  • No runtime environment exists for any uploaded file type
  • Upload access is restricted to authenticated administrators
  • All upload actions are logged in the Event Stream

This architecture means that uploading a file with a potentially dangerous extension (such as .php, .exe, or .sh) does not create any security risk, as there is no mechanism to execute the file on the server.

Have a suggestion for this page?

Didn't quite find what you are looking for or have feedback on how we can make the content better then we would love to hear from you. Please provide us feedback and we will get back to you shortly.