
File upload looks small until it reaches production. Visitors attach screenshots, PDFs, invoices, logs, and files nobody should open. Operators need those files because they shorten the conversation. The system has to treat them as untrusted input anyway. Both things are true at the same time.
Limit before storing
The first controls are size limits and allowed types. Without a size limit, storage cost and memory pressure become an easy abuse path. Without an allowlist, the server accepts formats the product was never designed to serve safely. The browser can suggest a filename and content type, but the server has to enforce the real policy.
Scanning should not freeze the chat
Malware scanning is useful, but it can be slow and memory-heavy. The chat UI should not hang while a scanner works. A practical setup accepts the file into controlled storage, marks unsafe or pending states clearly, scans through a dedicated service, and only exposes safe download behavior to operators.
URLs are not permissions
Support attachments often contain personal data: an email address, invoice number, admin panel, error message, or customer screenshot. Permanent public URLs are a bad default. Files should sit behind organization-scoped access or signed delivery. An operator should see files for their conversations. Another organization should not be able to guess a link.
Keep files connected to conversations
A file without context is hard to govern. Who sent it? Which organization owns it? Which message explains why it exists? Should it be exported or deleted with the conversation? Convor keeps uploads tied to the support workflow so retention, GDPR exports, deletion, and audit logs have something concrete to follow.
The operator experience still has to be smooth. Safe image previews, clear blocked states, readable filenames, and useful visitor errors matter. The complexity belongs below the interface: validation, storage, scanning, permissions, and cleanup.
Get new posts in your inbox
No spam. Unsubscribe anytime.
