A web engine built
like an operating system
BeamReactor is a sovereign dynamic CMS designed around a single-kernel architecture. Every request passes through the engine. Every input is typed and validated. Every plugin runs in isolation. Nothing executes outside the core's control.
A web engine for everyone
BeamReactor is a dynamic WYSIWYG content management system (CMS). It is a "web engine" for presenting, storing, indexing and mapping data tied to web applications.
We are to the web what your editing software is to your printer. Dynamic because at all times, BeamReactor optimises itself, reacts interactively in every situation, including to external threats. It can handle very large volumes of data on the fly (batch processing) and naturally supports document editing and web page creation for everyone.
While remaining simple to use and understand, BeamReactor is a powerful data management and website creation tool that enhances your content through a broad set of options and customisations.
Target audience
Primarily designed for mid-sized businesses, it also serves personal websites and very large-scale data management infrastructures. It lends itself easily to cloud computing or internal business applications, with load balancer support and efficient built-in data caches.
BeamReactor's goal is to bridge the gap between the complex, opaque CMSs typically used by large communities and simplistic systems like blogs. By harmoniously combining the best of both worlds, it offers users a simple interface backed by powerful tools, suitable for a wide variety of websites: e-commerce, community portals, corporate sites, support sites (logistics/customer service), AI and LLM infrastructures, personal sites, blogs, and tool- or service-oriented sites such as webmail or blog communities.
Everything is designed so that users can control and manage their data in a secure, straightforward, and constantly updated environment. Specialised tools ensure optimal search engine indexing.
Content accessible to all audiences
BeamReactor's dynamic skin system makes your web content accessible to sensitive audiences. It enables compliance with WCAG 2.2 standards and the RGAA framework in France, ensuring access for all through high-contrast themes, alternative text for images available directly in the web page editors, keyboard navigation, and readable fonts.
Additional features
BeamReactor v2 has a lightweight footprint of roughly 50 MB, remains backward-compatible with PHP 8.1, and supports embedded systems and legacy browsers from HTML 4.01 to HTML 5.
Configuration relies on a user-friendly override system: all changes are reversible in one click, without touching core files, with a full audit history (modification dates and notes).
The WYSIWYG document editor features drag-and-drop and seamless plugin integration. A news/blog system with RSS export, a FAQ module for customer support, a link manager with automatic descriptions, and an RSS/Atom feed aggregator for press monitoring round out the content side.
For communication, a built-in webmail client (POP3/IMAP) offers Bayesian spam filtering, attachment handling with security scanning, and message forwarding and archiving.
Visitor statistics provide a breakdown by browser, device, and resolution, a most-visited pages report, and IP geolocation.
Administration includes full one-click site backup (database + files), an optional disk space manager with file explorer, a MySQL operations interface with export, and automatic cleanup tools.
Adding new languages is assisted by a built-in LLM translation system.
The XDP kernel
BeamReactor is not an assembly of scripts. It is a system built around a centralised kernel — the XDP engine — inspired by the internal structure of an operating system.
Every HTTP request enters through a single point. The kernel handles routing, security enforcement, session management, plugin loading and output rendering. No PHP script can execute without passing through it. This is not a convention — it is a structural impossibility enforced by the architecture itself.
This centralisation guarantees uniform application of security protocols across the entire system, from user authentication to the final rendered page. Plugins cannot bypass sanitization, cannot issue raw SQL, and cannot terminate execution (exit / die are structurally forbidden). The kernel always retains control for proper session closure and coherent error handling.
Everything is a plugin
Every feature in BeamReactor lives as an autonomous plugin. The core routes, secures and orchestrates — nothing more. This means the attack surface of any given installation is exactly proportional to what you activate. An inactive plugin is zero lines of exposed code.
When a plugin is called, the engine automatically handles configuration loading, library injection, locale selection based on the user's language, and route registration. Multiple plugins coexist on the same page without collision — each operates in its own namespace with its own CSS and JavaScript resources.
Each plugin carries its own documentation (/doc/), its own test suite (/tests/), its own moderation cartography for GDPR compliance (.moderation.json), and its own sitemap declaration (.sitemap.json) for the search engine. Install is a folder drop. Removal is a folder delete.
Security is the architecture
Security in BeamReactor is not a layer bolted on top. It is the architecture itself. Every piece of data entering or leaving the system passes through Sanitizer\Parser, which validates against strict types: primitives (bool, int, float, string with length constraints), structured types (email, URL, UUID, IP, date, JSON), rich types (HTML with tag whitelists, Markdown, prepared-statement-only SQL), and business types (files with MIME/size/extension validation, images, tokens).
Database interactions use exclusively prepared statements. Direct parameter concatenation is structurally impossible through the SQL abstraction layer (BDAL). The system detects and prevents SQL injection, XSS, string overflow attacks, shell command injection, path traversal and NaN/Infinity manipulation.
Sessions are protected by permanent IP tracking, User-Agent fingerprinting, adaptive request rate limiting, and time-bounded expiration. Authentication uses Argon2id server-side and PBKDF2 client-side with per-user salting, 2FA, and single-use anti-CSRF tokens. Active honeypots — hidden form fields, trap URLs, request timing analysis — identify and quarantine attackers before they reach your data.
Adaptive immunity for web servers
BeamReactor manages privilege levels dynamically. The defaults are defined in configuration, but can be overridden at runtime from the database or from an include — based on server load, threat level, or plugin performance.
Under heavy load, resource-intensive plugins are automatically restricted to higher-privilege users. Under attack, the system can lock down to admin-only access without redeployment. A plugin that exceeds one second of generation time is automatically quarantined — disabled for regular users while administrators retain access for diagnosis.
This is application-level load balancing based on the privilege hierarchy. The system measures generation time per plugin, evaluates current load against connection count and capacity, decides whether to restrict access, and preserves admin access for diagnostics. No human intervention required. A buggy or attacked plugin does not bring down the site — it isolates itself.
GDPR compliance since 2003
BeamReactor was built on a simple principle: user data belongs to the user. Minimal collection, encrypted sensitive data, no third-party tracking, real deletion (not a soft flag), and full data export. These principles were in place since 2003 — twelve years before the GDPR was drafted.
Each plugin includes a .moderation.json file that maps exactly which user data it stores and how that data should be handled during anonymisation, erasure, or complaint processing. When a GDPR request is made, the engine walks through every installed plugin's moderation cartography and executes the appropriate action — anonymise, delete, or export — without manual intervention per plugin.
Similarly, each plugin declares a .sitemap.json that maps its public-facing content for the internal search engine and sitemap generator. This ensures that content indexing is always accurate, always up to date, and always under the control of the plugin author rather than a fragile global crawler.
Designed for speed at every level
Even the document formats are engineered for performance. The .dta and .err formats are zero-parse, zero-DB, zero-function-at-runtime: one directive per line, key-value separated by whitespace, loaded once at bootstrap into pure PHP constants cached by opcache. Parsing takes under 0.01µs. A full error page weighs under 2KB.
The WYSIWYG editor, the multilingual system, the analytics engine, the bot catalogue — none of these depend on external services. No Google Analytics, no CDN dependency, no external scripts phoning home. Everything runs on your server, under your control.
22 years, one architect, zero compromise
BeamReactor has been designed, developed and maintained by the same architect since 2003. There have been no handovers, no rewrites, no committee decisions. Every line of code follows the same security-first, performance-first philosophy that was set on day one.
The result is architectural consistency that no community-driven CMS can match. The code is 100% auditable. The security record is public: zero known CVEs in 22 years. The system runs with zero third-party dependencies — no Composer, no Node, no build step. Upload via FTP, configure, run.
Popular CMS platforms are massive targets. A vulnerability discovered in WordPress affects millions of sites simultaneously. BeamReactor's unique architecture and confidential install base make it structurally uninteresting to automated attackers — security through architectural originality, complementing real technical security.
Ready to explore?
Install BeamReactor in five minutes, browse the plugin ecosystem, or dive into the technical documentation.
