Object Storage
Also Known As
S3
GCS
Azure Blob
object storage
S3-compatible
TL;DR
A flat-file storage system (S3, GCS, Azure Blob) where files are stored as objects with metadata and accessed via HTTP — infinitely scalable, separate from application servers.
Explanation
Object storage differs from block storage (disks) and file storage (NFS): objects are immutable, identified by key, and accessed via HTTP API. Key features: built-in redundancy across availability zones, lifecycle policies (auto-archive to cheaper tiers), pre-signed URLs for temporary direct access, static website hosting, and CDN integration. PHP applications should store uploads in S3 rather than the server filesystem — files persist across deployments and are accessible from all scaled instances.
Diagram
flowchart LR
APP[PHP App] -->|PUT object| BUCKET[(S3 Bucket)]
BUCKET -->|CDN origin| CF[CloudFront<br/>edge cache]
CF --> USERS[Global users<br/>low latency]
subgraph Storage_Classes
STD[Standard<br/>frequent access]
IA[Infrequent Access<br/>cheaper]
GLACIER[Glacier<br/>archive]
end
subgraph Features
VER[Versioning<br/>restore deleted]
ENC[Encryption<br/>SSE-S3 or KMS]
end
style BUCKET fill:#d29922,color:#fff
style CF fill:#1f6feb,color:#fff
style GLACIER fill:#6e40c9,color:#fff
Common Misconception
✗ S3 is slow because it's HTTP-based — S3 is designed for throughput and consistently delivers 100-500MB/s; for most web applications it is faster than local disk when served via CloudFront.
Why It Matters
Storing uploads on the application server filesystem breaks when the server is scaled out (other servers can't access files) and files are lost when a serverless function exits or a container restarts.
Common Mistakes
- Storing sensitive files in a public S3 bucket — use pre-signed URLs for private content, not public bucket policies.
- Streaming large files through PHP to the client — generate a pre-signed URL and redirect; avoids memory usage and latency.
- Not setting lifecycle rules — old temporary files accumulate indefinitely without automatic expiry.
- Uploading to S3 synchronously in a web request — offload to a queue worker for large files.
Code Examples
✗ Vulnerable
// Streaming through PHP — wastes memory and adds latency:
function downloadFile(string $key): void {
$content = $s3->getObject(['Bucket' => 'my-bucket', 'Key' => $key])['Body'];
header('Content-Type: application/octet-stream');
echo $content; // Entire file in PHP memory
}
✓ Fixed
// Pre-signed URL — client downloads directly from S3:
function downloadFile(string $key): string {
$cmd = $s3->getCommand('GetObject', ['Bucket' => 'my-bucket', 'Key' => $key]);
$request = $s3->createPresignedRequest($cmd, '+15 minutes');
return (string) $request->getUri(); // Redirect client to this URL
}
// In controller:
return redirect($s3Service->downloadFile($key));Tags
🤝 Adopt this term
£79/year · your link shown here
Added
15 Mar 2026
Edited
22 Mar 2026
Views
24
🤖 AI Guestbook educational data only
|
|
Last 30 days
Agents 0
No pings yet today
No pings yesterday
Amazonbot 6
Perplexity 6
Unknown AI 2
Google 2
Ahrefs 2
SEMrush 2
Also referenced
How they use it
crawler 19
crawler_json 1
Related categories
⚡
DEV INTEL
Tools & Severity
🟠 High
⚙ Fix effort: Medium
⚡ Quick Fix
Block all public access at account level, enable versioning and server-side encryption by default, and generate pre-signed URLs for time-limited user access instead of making buckets public
📦 Applies To
PHP 5.0+
web
cli
laravel
🔍 Detection Hints
S3 bucket with public read ACL; files served directly from S3 without signed URLs; no server-side encryption; access keys in PHP code for S3
Auto-detectable:
✓ Yes
aws-config
semgrep
trufflehog
scout-suite
⚠ Related Problems
🤖 AI Agent
Confidence: Medium
False Positives: Medium
✗ Manual fix
Fix: Medium
Context: File
CWE-732
CWE-312