DEV Community

Cover image for Handle WebDAV as JSON: A One-File Self-Hosted API WebDAVJSON (PHP/Node.js)
大阪のUber配達員
大阪のUber配達員

Posted on

Handle WebDAV as JSON: A One-File Self-Hosted API WebDAVJSON (PHP/Node.js)

#webdev #php #api #javascript

https://github.com/GitHub30/WebDAVJSON

What is it?

WebDAVJSON lets you drop a single PHP or Node.js file on your server and immediately get a JSON API for file operations (list, upload, download, delete). It supports CORS, custom API key (Bearer) auth, and an extension allow-list, making it easy to call from front-ends or automation scripts.

Key features

  • CORS support
  • API key (Bearer) authentication (optional)
  • File listing in JSON
  • Upload (multipart/PUT), download, delete
  • Extension allow-list for basic safety
  • Single-file PHP/Node implementation

Endpoints (HTTP methods)

  • GET / — List files (JSON)
  • GET /?filename=abc.txt — Download
  • POST/PUT / — Upload (multipart or PUT)
  • POST/PUT /?filename=abc.txt — Binary upload to a specific name
  • DELETE /?filename=abc.txt — Delete

Quick setup

Node.js (Windows example) 

winget install FiloSottile.mkcert Node.js --silent
mkcert -install
mkcert localhost
node index.mjs
# Verify:
# fetch('https://localhost:8443/').then(r=>r.json())
# fetch('https://localhost:8443/?filename=foo.txt',{method:'PUT',body:'foobar'})
Enter fullscreen mode Exit fullscreen mode

PHP (Linux example) 

# Get the single file
wget https://raw.githubusercontent.com/GitHub30/WebDAVJSON/refs/heads/main/index.php
# Start with PHP’s built-in server (choose any port)
php -S 0.0.0.0:8000
Enter fullscreen mode Exit fullscreen mode

Usage (cURL recipes)

List files (JSON) 

curl http://localhost:8000/
Enter fullscreen mode Exit fullscreen mode

Partial match search (q) 

curl "http://localhost:8000/?q=report"
Enter fullscreen mode Exit fullscreen mode

Download 

curl -O "http://localhost:8000/?filename=abc.txt"
# Save as attachment with original name
curl -OJ "http://localhost:8000/?download&filename=abc.txt"
Enter fullscreen mode Exit fullscreen mode

Upload (multipart/form-data) 

curl -F "file=@abc.txt" http://localhost:8000/
Enter fullscreen mode Exit fullscreen mode

Upload (PUT, binary) 

curl -X PUT --data-binary @abc.txt "http://localhost:8000/?filename=abc.txt"
Enter fullscreen mode Exit fullscreen mode

Delete 

curl -X DELETE "http://localhost:8000/?filename=abc.txt"
Enter fullscreen mode Exit fullscreen mode

Authentication (optional)

If you set $api_key (PHP) or the equivalent in the Node file, the API will require the header Authorization: Bearer <API_KEY>.

Example:

curl -H "Authorization: Bearer your_api_key" http://localhost:8000/
Enter fullscreen mode Exit fullscreen mode

Extension allow-list

Example of commonly allowed extensions:

txt, jpg, png, webp, heic, gif, pdf, docx, xlsx, zip, mp4, gz
Enter fullscreen mode Exit fullscreen mode

Tightening this list is recommended when exposing the API.

When it’s handy

  • You want a minimal self-hosted storage API callable from a front-end
  • You need a quick drop-zone for CI/CD artifacts
  • You prefer a no/low-code backend you can spin up in seconds
  • You’re standing up a temporary sharing server with basic guards (CORS + key)

Notes & best practices

  • Serve over HTTPS and enable an API key
  • Keep the exposure surface minimal and restrict the allowed extensions
  • Set correct permissions on the writable directory
  • If usage grows, consider rate limiting and audit logging

License

MIT License.

Wrap-up

WebDAVJSON is a “smallest-viable API” you can deploy in minutes. Despite its tiny footprint, it covers practical needs like CORS, API keys, and extension filtering. When you need a lightweight, self-hosted file API, this is a great first choice.

Top comments (0)