Web Applications

CompleteFTP can host web applications over HTTP and HTTPS, providing browser-based file access and custom web interfaces alongside its file transfer protocols. The built-in File Manager gives users an immediate web-based interface for uploading, downloading, and managing files, while custom web applications and JSS (JavaScript Server-Side) scripting enable advanced functionality tailored to your organization's needs.

Overview

Web application hosting in CompleteFTP provides:

  • Built-in File Manager - A ready-to-use browser-based file management interface
  • Custom web applications - Host your own HTML/JavaScript/CSS applications
  • JSS scripting - Server-side JavaScript for dynamic web content and APIs
  • Site-level mappings - Control which web apps are available on which sites
  • HTTP security headers - Configurable security headers for all HTTP responses
  • MIME type management - Custom MIME type mappings for content delivery
  • HTTPS support - Secure web access using TLS/SSL certificates

All web application operations use the completeftp webapp command group, with HTTP headers managed via completeftp site httpheader and MIME types via completeftp site mimetype.

Viewing Web Application Information

List Web Apps

# List all web applications
completeftp webapp list

# List with specific properties
completeftp webapp list folderPath enabled

Show Web App Details

# Show all properties of a web app
completeftp webapp show MyApp

# Show specific properties
completeftp webapp show MyApp folderPath enabled

Managing Web Applications

Adding a Web App

# Basic syntax
completeftp webapp add <webAppName> <folderPath>

# Add a web app from a local directory
completeftp webapp add MyApp /opt/webapps/myapp

# Add a web app from another location
completeftp webapp add CustomerPortal /var/www/customer-portal

The folderPath is the path on the local file system where the web application files reside (HTML, CSS, JavaScript, images, etc.). The directory must exist before running this command.

Modifying a Web App

# Change the folder path
completeftp webapp set MyApp folderPath=/opt/webapps/myapp-v2

# Disable a web app
completeftp webapp set MyApp enabled=false

# Re-enable a web app
completeftp webapp set MyApp enabled=true

Removing a Web App

# Remove a web application
completeftp webapp remove MyApp

Note: Removing a web app only removes the registration from CompleteFTP. The underlying files in the folder path are not deleted.

Web App URL Mappings

Web applications are mapped to sites, controlling which web apps are accessible on which sites and at what URL paths.

Viewing Mappings

# Show mappings for a web app on all sites
completeftp webapp mapping show MyApp

# Show mappings for a web app on a specific site
completeftp webapp mapping show MyApp default

Setting Mapping Properties

# Set mapping properties for a web app on a site
completeftp webapp mapping set MyApp default property=value

Built-in File Manager

CompleteFTP includes a built-in web application called FileManager2 that provides a browser-based file management interface. It is the default web application and is available out of the box.

Accessing the File Manager

When HTTP or HTTPS is enabled on a site, users can access the File Manager by navigating to the site's URL in a web browser:

https://your-server.example.com/

Configuring the Default Web App

The defaultWebApp site property controls which web app is served at the root URL:

# Show the current default web app
completeftp site show default defaultWebApp

# Set the default web app (default is FileManager2)
completeftp site set default defaultWebApp=FileManager2

# Set a custom web app as the default
completeftp site set default defaultWebApp=MyApp

File Sharing

The built-in File Manager supports file sharing, allowing users to generate secure web links for files and folders. Unlike traditional file transfer (FTP, SFTP), file sharing lets external recipients download or upload files through a browser without needing a CompleteFTP account.

How it works:

  1. A user logs into the web File Manager
  2. The user navigates to a file or folder and creates a share link
  3. CompleteFTP generates a unique secure URL, optionally with an expiry date and password
  4. The user sends the URL to the recipient
  5. The recipient opens the link in a browser to download or upload files

Share types:

  • Download shares — Recipients can download shared files
  • Upload shares — Recipients can upload files to a designated location

Controlling file sharing:

# Check if sharing is enabled
completeftp site show default sharingEnabled

# Enable file sharing
completeftp site set default sharingEnabled=true

# Disable file sharing (existing share links stop working)
completeftp site set default sharingEnabled=false

Note: File sharing requires HTTPS to be enabled on the site. The CompleteBox desktop client (available for Windows and Mac) provides additional sync and sharing capabilities — consult the Windows User Guide for details.

Enabling HTTP/HTTPS Protocols

Web applications require HTTP or HTTPS to be enabled on the site.

# Enable HTTPS (recommended)
completeftp site set default httpsEnabled=true

# Enable HTTP (not recommended for production)
completeftp site set default httpEnabled=true

# Disable HTTP to enforce HTTPS-only access
completeftp site set default httpEnabled=false

# Check current HTTP/HTTPS status
completeftp site show default httpEnabled httpsEnabled

HTTP Basic Authentication

HTTP Basic Authentication allows users to authenticate via standard HTTP headers rather than a login form:

# Enable HTTP Basic Authentication
completeftp site set default httpBasicAuth=true

# Disable HTTP Basic Authentication
completeftp site set default httpBasicAuth=false

HTTP Headers Management

CompleteFTP allows you to configure custom HTTP response headers for each site. This is useful for security hardening, CORS configuration, and caching policies.

Default Security Headers

CompleteFTP includes the following security headers by default:

Header Default Value Purpose
Strict-Transport-Security max-age=31536000; includeSubdomains Enforce HTTPS connections
X-Content-Type-Options nosniff Prevent MIME type sniffing
Content-Security-Policy frame-ancestors 'self' Restrict framing of pages
X-Frame-Options sameorigin Prevent clickjacking
X-XSS-Protection 1; mode=block Enable browser XSS filter

Listing HTTP Headers

# List all custom HTTP headers for a site
completeftp site httpheader list default

Adding or Modifying Headers

# Add or modify an HTTP header
completeftp site httpheader set default "X-Custom-Header" "CustomValue"

# Configure CORS headers
completeftp site httpheader set default "Access-Control-Allow-Origin" "https://app.example.com"
completeftp site httpheader set default "Access-Control-Allow-Methods" "GET, POST, PUT, DELETE"
completeftp site httpheader set default "Access-Control-Allow-Headers" "Content-Type, Authorization"

# Set a custom Content-Security-Policy
completeftp site httpheader set default "Content-Security-Policy" "frame-ancestors 'self' https://trusted.example.com"

# Set cache control headers
completeftp site httpheader set default "Cache-Control" "no-cache, no-store, must-revalidate"

Removing Headers

# Remove a custom HTTP header
completeftp site httpheader remove default "X-Custom-Header"

Note: Removing a default security header will reduce the security posture of your site. Only remove default headers if you have a specific reason and understand the implications.

MIME Types Management

MIME types tell the browser how to handle different file types. CompleteFTP comes with standard MIME type mappings, and you can add or modify them as needed.

Listing MIME Types

# List all MIME types for a site
completeftp site mimetype list default

Adding or Modifying MIME Types

# Add a MIME type mapping
completeftp site mimetype set default ".json" "application/json"

# Add MIME types for custom file formats
completeftp site mimetype set default ".csv" "text/csv"
completeftp site mimetype set default ".yaml" "application/x-yaml"
completeftp site mimetype set default ".wasm" "application/wasm"

# Override a default MIME type
completeftp site mimetype set default ".txt" "text/plain; charset=utf-8"

Removing MIME Types

# Remove a custom MIME type mapping
completeftp site mimetype remove default ".yaml"

Custom Web Applications with JSS

JSS (JavaScript Server-Side) enables server-side scripting for web applications hosted on CompleteFTP. When JSS is enabled, files with the .jss extension are executed as server-side JavaScript rather than served as static files.

Enabling JSS

# Check if JSS is enabled
completeftp site show default jssEnabled

# Enable JSS
completeftp site set default jssEnabled=true

# Disable JSS
completeftp site set default jssEnabled=false

Creating a JSS Web Application

A JSS web application is a collection of .jss files placed in the web app's folder path. Each .jss file can generate dynamic content, access the CompleteFTP virtual file system, and interact with external services.

# 1. Create a directory for the web app
mkdir -p /opt/webapps/myapi

# 2. Create a simple JSS page (example)
cat > /opt/webapps/myapi/index.jss << 'JSS'
response.write("<html><body>");
response.write("<h1>Welcome, " + session.userName + "</h1>");
response.write("<p>Server time: " + new Date() + "</p>");
response.write("</body></html>");
JSS

# 3. Register the web app
completeftp webapp add MyAPI /opt/webapps/myapi

# 4. Ensure JSS is enabled on the site
completeftp site set default jssEnabled=true

JSS Capabilities

JSS scripts have access to the CompleteFTP server-side API, including:

  • File system operations - Read, write, move, and delete files in the virtual file system
  • HTTP request/response - Access request parameters, headers, and write responses
  • Session information - Access the current user's session and authentication details
  • FTP/SFTP clients - Connect to remote servers from server-side code
  • Database access - Query databases using the DatabaseSync API
  • Email - Send emails using the mail API
  • .NET interop - Access .NET framework classes directly

Web Application Properties

Property Description Default
folderPath Local file system path for the web app files (set at creation)
enabled Whether the web app is active true

Related Site Properties

Property Description Default
defaultWebApp Web app served at the root URL FileManager2
httpEnabled Enable HTTP protocol false
httpsEnabled Enable HTTPS protocol true
httpBasicAuth Enable HTTP Basic Authentication false
jssEnabled Enable JSS server-side scripting false
sharingEnabled Enable file sharing links in File Manager false

Workflow Examples

Deploy a Custom Web Portal

Deploy a custom HTML/CSS/JavaScript web portal for customers:

# 1. Prepare the web app directory
mkdir -p /opt/webapps/customer-portal

# 2. Copy your web application files into the directory
cp -r /path/to/portal-build/* /opt/webapps/customer-portal/

# 3. Register the web app with CompleteFTP
completeftp webapp add CustomerPortal /opt/webapps/customer-portal

# 4. Set it as the default web app
completeftp site set default defaultWebApp=CustomerPortal

# 5. Ensure HTTPS is enabled
completeftp site set default httpsEnabled=true

Set Up File Manager with Sharing

Configure the built-in File Manager with file sharing and security headers:

# 1. Ensure HTTPS is enabled and HTTP is disabled
completeftp site set default httpsEnabled=true
completeftp site set default httpEnabled=false

# 2. Enable file sharing
completeftp site set default sharingEnabled=true

# 3. Verify the default web app is FileManager2
completeftp site show default defaultWebApp

# 4. Add additional security headers
completeftp site httpheader set default "Referrer-Policy" "strict-origin-when-cross-origin"
completeftp site httpheader set default "Permissions-Policy" "camera=(), microphone=(), geolocation=()"

Build a JSS API Endpoint

Create a server-side API for integration with other systems:

# 1. Create the API directory
mkdir -p /opt/webapps/api

# 2. Create an API endpoint (example)
cat > /opt/webapps/api/status.jss << 'JSS'
response.contentType = "application/json";
var result = {
    server: system.serverName,
    time: new Date().toISOString(),
    user: session.userName
};
response.write(JSON.stringify(result));
JSS

# 3. Register the web app
completeftp webapp add API /opt/webapps/api

# 4. Enable JSS on the site
completeftp site set default jssEnabled=true

# 5. Set the appropriate MIME type for JSON
completeftp site mimetype set default ".json" "application/json"

Configure CORS for an External Application

Allow a separate frontend application to access CompleteFTP's web APIs:

# Set CORS headers on the site
completeftp site httpheader set default "Access-Control-Allow-Origin" "https://frontend.example.com"
completeftp site httpheader set default "Access-Control-Allow-Methods" "GET, POST, PUT, DELETE, OPTIONS"
completeftp site httpheader set default "Access-Control-Allow-Headers" "Content-Type, Authorization"
completeftp site httpheader set default "Access-Control-Allow-Credentials" "true"

Serve Custom Static Content with MIME Types

Host a web app with custom file types:

# 1. Register the web app
completeftp webapp add Documentation /opt/webapps/docs

# 2. Add MIME types for custom content
completeftp site mimetype set default ".md" "text/markdown"
completeftp site mimetype set default ".svg" "image/svg+xml"
completeftp site mimetype set default ".woff2" "font/woff2"
completeftp site mimetype set default ".webp" "image/webp"

# 3. Set caching headers for static assets
completeftp site httpheader set default "Cache-Control" "public, max-age=86400"

Troubleshooting

Web App Not Accessible

# Check that HTTP or HTTPS is enabled
completeftp site show default httpEnabled httpsEnabled

# Verify the web app exists and is enabled
completeftp webapp show MyApp enabled folderPath

# Check the default web app setting
completeftp site show default defaultWebApp

# Verify the web app folder exists and contains files
ls -la /opt/webapps/myapp/

File Manager Login Fails

# Verify the user account exists and is enabled
completeftp user show alice enabled

# Check that HTTP Basic Auth is configured if needed
completeftp site show default httpBasicAuth

# Verify HTTPS certificate is valid
completeftp site show default sslCertificate.commonName sslCertificate.validTo

JSS Scripts Not Executing

# Verify JSS is enabled on the site
completeftp site show default jssEnabled

# Ensure the file has the .jss extension
ls -la /opt/webapps/myapp/*.jss

# Check server logs for JSS errors
completeftp monitor set logging.level=Debug

# Test with a minimal JSS script
cat > /opt/webapps/myapp/test.jss << 'JSS'
response.write("JSS is working");
JSS

Custom Headers Not Applied

# List all custom headers
completeftp site httpheader list default

# Verify the header is set correctly
# Note: Headers are applied to HTTP/HTTPS responses only

# Test with curl to see response headers
curl -I https://your-server.example.com/

MIME Type Issues

# List current MIME types
completeftp site mimetype list default

# Verify the MIME type is set for the file extension
# Ensure the extension includes the leading dot
completeftp site mimetype set default ".ext" "application/octet-stream"

Best Practices

Security

  1. Use HTTPS only - Disable HTTP and enforce HTTPS for all web access
  2. Keep default security headers - Do not remove the built-in security headers unless you have a specific need
  3. Restrict CORS origins - Never use * for Access-Control-Allow-Origin in production
  4. Enable HTTP Basic Auth carefully - Only enable when required, as credentials are sent with every request
  5. Validate JSS input - Always validate and sanitize user input in JSS scripts

Performance

  1. Use caching headers - Set appropriate Cache-Control headers for static assets
  2. Minimize JSS processing - Keep server-side logic efficient; offload heavy processing to external services
  3. Optimize static assets - Minify CSS and JavaScript, compress images before deploying

Deployment

  1. Version your web apps - Use versioned directory names (e.g., /opt/webapps/portal-v2) for easy rollback
  2. Test before switching - Deploy a new web app alongside the existing one before changing defaultWebApp
  3. Document custom headers - Keep a record of any custom HTTP headers and their purpose
  4. Monitor MIME types - Add MIME types for any custom file formats your web app serves

Maintenance

  1. Review web apps regularly - Remove unused web applications to reduce the attack surface
  2. Update security headers - Stay current with recommended HTTP security header values
  3. Audit JSS scripts - Review server-side scripts for security vulnerabilities
  4. Back up web app files - Include web application directories in your backup strategy

Quick Reference

Web App Management Commands

# List web apps
completeftp webapp list [properties]

# Show web app details
completeftp webapp show <webAppName> [properties]

# Add web app
completeftp webapp add <webAppName> <folderPath>

# Modify web app
completeftp webapp set <webAppName> property=value

# Remove web app
completeftp webapp remove <webAppName>

Web App Mapping Commands

# Show mappings
completeftp webapp mapping show <webAppName> [site]

# Set mapping properties
completeftp webapp mapping set <webAppName> <site> property=value

HTTP Header Commands

# List headers
completeftp site httpheader list <siteName>

# Add/modify header
completeftp site httpheader set <siteName> <name> <value>

# Remove header
completeftp site httpheader remove <siteName> <name>

MIME Type Commands

# List MIME types
completeftp site mimetype list <siteName>

# Add/modify MIME type
completeftp site mimetype set <siteName> <name> <value>

# Remove MIME type
completeftp site mimetype remove <siteName> <name>

Related Site Properties

defaultWebApp=FileManager2   # Default web app at root URL
httpEnabled=true/false       # Enable HTTP protocol
httpsEnabled=true/false      # Enable HTTPS protocol
httpBasicAuth=true/false     # Enable HTTP Basic Authentication
jssEnabled=true/false        # Enable JSS server-side scripting
sharingEnabled=true/false    # Enable file sharing in File Manager

Default Security Headers

Strict-Transport-Security: max-age=31536000; includeSubdomains
X-Content-Type-Options: nosniff
Content-Security-Policy: frame-ancestors 'self'
X-Frame-Options: sameorigin
X-XSS-Protection: 1; mode=block