Handle WebDAV as JSON: A One-File Self-Hosted API WebDAVJSON (PHP/Node.js)

# 🤖 What’s it?

WebDAVJSON is a PHP/Node.js-based file storage API that allows you to drop a single PHP or Node.js file on your server and get a JSON API for file operations. The API supports CORS, API key (Bearer) authentication, file listing in JSON, upload, download, and delete, and includes an extension allow-list for basic safety. It’s a minimal self-hosted storage API that can be used from a front-end or CI/CD artifact, and is ideal for temporary sharing servers with basic guards (CORS + key). WebDAVJSON is a great first choice for a lightweight, self-hosted file storage solution.

# 🤖 Key features

• CORS support
• API key (Bearer) authentication (optional)
• File listing in JSON
• Upload (multipart/PUT), download, delete
• Extension allow-list
• Single-file PHP/Node implementation

# 🤖 Endpoints (HTTP methods)
https://github.com/GitHub30/WebDAVJSON

What is it?

WebDAVJSON lets you drop a single PHP or Node.js file on your server and immediately get a JSON API for file operations (list, upload, download, delete). It supports CORS, custom API key (Bearer) auth, and an extension allow-list, making it easy to call from front-ends or automation scripts.

Key features

• CORS support
• API key (Bearer) authentication (optional)
• File listing in JSON
• Upload (multipart/PUT), download, delete
• Extension allow-list for basic safety
• Single-file PHP/Node implementation

Endpoints (HTTP methods)

• GET / — List files (JSON)
• GET /?filename=abc.txt — Download
• POST/PUT / — Upload (multipart or PUT)
• POST/PUT /?filename=abc.txt — Binary upload to a specific name
• DELETE /?filename=abc.txt — Delete

Quick setup

Node.js (Windows example)

winget install FiloSottile.mkcert Node.js --silent
mkcert -install
mkcert localhost
node index.mjs
# Verify:
# fetch('https://localhost:8443/').then(r=>r.json())
# fetch('https://localhost:8443/?filename=foo.txt',{method:'PUT',body:'foobar'})

PHP (Linux example)

# Get the single file
wget https://raw.githubusercontent.com/GitHub30/WebDAVJSON/refs/heads/main/index.php
# Start with PHP’s built-in server (choose any port)
php -S 0.0.0.0:8000

Usage (cURL recipes)

List files (JSON)

curl http://localhost:8000/

Partial match search (q)

curl "http://localhost:8000/?q=report"

Download

curl -O "http://localhost:8000/?filename=abc.txt"
# Save as attachment with original name
curl -OJ "http://localhost:8000/?download&filename=abc.txt"

Upload (multipart/form-data)

curl -F "file=@abc.txt" http://localhost:8000/

Upload (PUT, binary)

curl -X PUT --data-binary @abc.txt "http://localhost:8000/?filename=abc.txt"

Delete

curl -X DELETE "http://localhost:8000/?filename=abc.txt"

Authentication (optional)

If you set $api_key (PHP) or the equivalent in the Node file, the API will require the header Authorization: Bearer <API_KEY>.

Example:

curl -H "Authorization: Bearer your_api_key" http://localhost:8000/

Extension allow-list

Example of commonly allowed extensions:

txt, jpg, png, webp, heic, gif, pdf, docx, xlsx, zip, mp4, gz

Tightening this list is recommended when exposing the API.

When it’s handy

• You want a minimal self-hosted storage API callable from a front-end
• You need a quick drop-zone for CI/CD artifacts
• You prefer a no/low-code backend you can spin up in seconds
• You’re standing up a temporary sharing server with basic guards (CORS + key)

Notes & best practices

• Serve over HTTPS and enable an API key
• Keep the exposure surface minimal and restrict the allowed extensions
• Set correct permissions on the writable directory
• If usage grows, consider rate limiting and audit logging

License

MIT License.

Wrap-up

WebDAVJSON is a “smallest-viable API” you can deploy in minutes. Despite its tiny footprint, it covers practical needs like CORS, API keys, and extension filtering. When you need a lightweight, self-hosted file API, this is a great first choice.