Last modified by Vincent Massol on 2022/12/02

Attachments can be uploaded either through the regular upload action, WebDAV, XML-RPC or Rest.
As an administrator you can set limits on the maximum size of an attachment and where the attachments will be stored.

Size Limit

The maximum size of an attachment is limited by a configuration parameter in the XWikiPreferences document. It is set to 100GB by default (32MB for XWiki < 10.9RC1).
To change it follow these steps:

  1. Go to http://<yourwiki>/xwiki/bin/edit/XWiki/XWikiPreferences?editor=object
  2. Click on the line that says XWikiPreferences 0 (right below the line that says Objects of type XWiki.XWikiPreferences (1))
  3. Scroll down to the field that says Maximum Upload Size and change the number to whatever size you want (it is expressed in bytes)
  4. Scroll to the bottom and click "Save"
  5. Repeat for each (sub)wiki for which you need to increase the size, since currrently this configuration has to be set per wiki

Note that if you've already tried to attach a file and it failed, in order for the new size setting to be taken into account you might need to clear your browser's cache.

Mimetype Restriction

See Attachent Validation Application.


When a user uploads an attachment and then uploads another attachment with the exact same name, you can decide whether or not to keep a version history of the attachments like you do with documents.
XWiki stores all document attachment versions by default which costs more storage space. If you need only latest versions of attachments, you can disable attachment version control by editing your xwiki.cfg and adding:


Deleted attachments are stored in a recycle bin so that they can be restored along with the document when rolling back or previewing an earlier version where the attachment should be visible. To disable this feature, edit xwiki.cfg and add:


You can view the list of deleted attachments in your wiki and delete them permanently by going to XWiki.DeletedAttachments in your wiki.

Attachment Storage

XWiki offers plugin attachment storage mechanisms so you can store your attachments in the database or directly in the filesystem.

Generally metadata for attachment and deleted attachments stay in the database whatever store is used for the content. The metadata contains the type of store used for the content allowing each attachment to choose a different store. The consequence is that what you configure is the default store for a new attachment and not the store used for all attachments.

Filesystem Attachment Store

The default since 10.5

The Filesystem attachment store saves your attachments in files in a directory tree. This means you will have one more thing to do when you back up your data but it also means you can save larger (over one gigabyte) files. Filesystem attachment store implements a two stage commit mechanism to maintain integrity even if the database fails to commit the attachment meta-data.

Filesystem attachment store location

By default the filsystem storage is located in a sub-folder (store/file since XWiki 11.0 and storage before) of the permanent directory (defined with the parameter environment.permanentDirectory in the file). By default it's defined to be data, which is a directory relative to where the Java Servlet Container was started. It's recommend to modify this value to be absolute sure that you can start the Servlet Container from any directory and still have XWiki find the attachments located in this work directory.

For example:


Since 11.4 it's possible to set the location of the filesystem store without modifying the general permanent directory using property of the file

Other considerations

If you are running a cluster you will need  to have a synchronized storage directory for each node. You can use NFS or other means to mount the disk on each node in the cluster.

Directory cleanup

Since XWiki 6.0M2, it is possible to save time on startup by preventing XWiki from cleaning up empty directories in the Filesystem Attachment Store. To do this, edit and set store.fsattach.cleanOnStartup to false. If you do this, you will be responsible for cleanup of empty directories yourself.

Database Attachment Store

The default before 10.5.

This attachment storage mechanism stores your attachments in database entries in the xwikiattachment_content, xwikiattachment_archive and xwikiattrecyclebin tables. This system allows for easy backup of your attachments by dumping the database and keeping all of your data together, but attachment size is memory constrained since the attachment content and archive must all be held in memory. As a general rule, attachments larger than 30MB are not possible.

Switch to database attachment store

These settings should read as follows: = hibernate = hibernate

# If you need to use database store for the attachment it's probably true for deleted attachments = hibernate

Also make sure they are not commented out.

When using this attachment store with a MySQL database, you must set the max_allowed_packet to about 3 times the size of your largest attachment since the attachment and its version history must be saved. See the MySQL Installation guide for more information.

Attachment display or download

When possible (see Security section below) attachments are displayed directly in the browser when accessed.
It is possible for developers to force-downloading an attachment by adding the parameter ?force-download=1 in the attachment URL. 


it's possible to use a dedicated property in to always force some attachment mime-types to be downloaded:

#-# [Since 12.10]
#-# Define the kind of attachment that you always want to be downloaded and never displayed inline.
#-# By default this list is empty, but you can specify a list of mime-types (coma separated list of values) which
#-# should be always downloaded no matter who attached them or what is the whitelist/blacklist configuration.
#-# The distinction with the blacklist configuration above is that the blacklist won't affect file attached by a user
#-# with programming rights, while this configuration affect any attachment.


In order to prevent attacks by using attachments, it's possible to control which attachments' can be directly opened on the browser based on their mimetypes.
Two properties in allow to control that independently:

#-# [Since 5.2M2]
#-# Define the kind of attachment that can be displayed inline. You can either choose to do it through a whitelist
#-# (only the mimetypes defined in this list would be displayed inline) or a blacklist (every mimetype that is not in
#-# this list would be displayed inline if possible).
#-# Note that only one configuration is used between the whitelist and the blacklist, and the whitelist always have
#-# the priority over the blacklist. Also note that these configurations exist for security reason so they are only
#-# impacting attachments added by users who do not have programming rights.
#-# If you want to force downloading some attachments types please check the configuration below.
#-# By default we use the following whitelist (coma separated list of values).
#-# If you prefer to use a blacklist instead, you can define the forbidden types here, as a coma separated list of
#-# values. We advise you to forbid at least the following mimetypes : text/html, text/javascript

Get Connected