diff --git a/cms/secure.py b/cms/secure.py
index 416b20b..d0e61c3 100644
--- a/cms/secure.py
+++ b/cms/secure.py
@@ -147,7 +147,7 @@ class Manager :
         return None
     def method (self):
         
-        return self._config['method']
+        return self._config['method'] if self._config else None
     # def _uri (self) :
     #     return self._config.get('uri',None)
     def loginURI (self):
diff --git a/cms/sites/__init__.py b/cms/sites/__init__.py
index 3ae6618..28553d4 100644
--- a/cms/sites/__init__.py
+++ b/cms/sites/__init__.py
@@ -110,7 +110,7 @@ class Initialization (IOConfig):
         #
         # Log initializaton ...
         #
-        self.log(action='init.security',module='site.init',input= self.secure._permissions.to_dict(orient='records'))
+        self.log(action='init.security',module='site.init',input= {'method':self.secure.method(),'permissioins':self.secure._permissions.to_dict(orient='records')})
     def reload (self):
         _args  = self._args
         self._config = self.read_config(**_args)
@@ -428,10 +428,10 @@ class Site(Initialization) :
     def html (self,_request):
         _uri = self.uri(_request)
         _mimeType = self.mimeType(_uri)
-        f = open(self.path(_uri),'r')
-        _content =  f.read() #_handler.html(_uri, self.get(None))
-        f.close()
-        
+        # f = open(self.path(_uri),'r')
+        # _content =  f.read() #_handler.html(_uri, self.get(None))
+        # f.close()
+        _content = self.open(uri=self.path(_uri),mode='r')
         
         if 'md' in _mimeType or 'html' in _mimeType :
             # _content = f'<div>{_content}</div>'
@@ -468,7 +468,22 @@ class Site(Initialization) :
         # _isfile  = '.' in request.path
 
         # return file if _isfile and not _isroute else self.get('layout.index')
-    
+    def open(self,**_args) :
+        """
+        :uri    path of the file to open
+        :mode   r,rb {text,binary}
+        """
+        _mode  = 'r' if 'mode' not in _args else _args['mode']
+        _uri = _args['uri']
+
+        if _uri.endswith('.py') and '_plugins' in _uri and self.get('layout.root') not in _uri:
+            #
+            # We can NOT serve python files over the web (possible security issue)
+            return None
+        f = open(_uri,_mode)
+        _content =  f.read()
+        f.close()
+        return _content
     def read(self,request) :
         _kwargs = {'allow':0}
         # if self.secure.allow(request=request):
@@ -484,11 +499,12 @@ class Site(Initialization) :
             #
             # Opening a binary file
             
-            f = open(self.path(_uri),'rb')
-            _content = io.BytesIO(f.read())
+            # f = open(self.path(_uri),'rb')
+            # _content = io.BytesIO(f.read())
 
-            f.close()
-            # _content,_ =  _handler.read(uri=_uri, config=self.get(None))
+            # f.close()
+            _content = self.open(uri=self.path(_uri),mode='rb')
+            _content = io.BytesIO( _content )
         _kwargs = {'allow':1,'mimeType':_mimeType,'extension':_extension,
                     'path':self.path(_uri),
                     'uri':_uri,'request':request.path}