Web Applications
CompleteFTP can host web applications over HTTP and HTTPS, providing browser-based file access and custom web interfaces alongside its file transfer protocols. The built-in File Manager gives users an immediate web-based interface for uploading, downloading, and managing files, while custom web applications and JSS (JavaScript Server-Side) scripting enable advanced functionality tailored to your organization's needs.
Overview
Web application hosting in CompleteFTP provides:
- Built-in File Manager - A ready-to-use browser-based file management interface
- Custom web applications - Host your own HTML/JavaScript/CSS applications
- JSS scripting - Server-side JavaScript for dynamic web content and APIs
- Site-level mappings - Control which web apps are available on which sites
- HTTP security headers - Configurable security headers for all HTTP responses
- MIME type management - Custom MIME type mappings for content delivery
- HTTPS support - Secure web access using TLS/SSL certificates
All web application operations use the completeftp webapp command group, with HTTP headers managed via completeftp site httpheader and MIME types via completeftp site mimetype.
Viewing Web Application Information
List Web Apps
# List all web applications
completeftp webapp list
# List with specific properties
completeftp webapp list folderPath enabled
Show Web App Details
# Show all properties of a web app
completeftp webapp show MyApp
# Show specific properties
completeftp webapp show MyApp folderPath enabled
Managing Web Applications
Adding a Web App
# Basic syntax
completeftp webapp add <webAppName> <folderPath>
# Add a web app from a local directory
completeftp webapp add MyApp /opt/webapps/myapp
# Add a web app from another location
completeftp webapp add CustomerPortal /var/www/customer-portal
The folderPath is the path on the local file system where the web application files reside (HTML, CSS, JavaScript, images, etc.). The directory must exist before running this command.
Modifying a Web App
# Change the folder path
completeftp webapp set MyApp folderPath=/opt/webapps/myapp-v2
# Disable a web app
completeftp webapp set MyApp enabled=false
# Re-enable a web app
completeftp webapp set MyApp enabled=true
Removing a Web App
# Remove a web application
completeftp webapp remove MyApp
Note: Removing a web app only removes the registration from CompleteFTP. The underlying files in the folder path are not deleted.
Web App URL Mappings
Web applications are mapped to sites, controlling which web apps are accessible on which sites and at what URL paths.
Viewing Mappings
# Show mappings for a web app on all sites
completeftp webapp mapping show MyApp
# Show mappings for a web app on a specific site
completeftp webapp mapping show MyApp default
Setting Mapping Properties
# Set mapping properties for a web app on a site
completeftp webapp mapping set MyApp default property=value
Built-in File Manager
CompleteFTP includes a built-in web application called FileManager2 that provides a browser-based file management interface. It is the default web application and is available out of the box.
Accessing the File Manager
When HTTP or HTTPS is enabled on a site, users can access the File Manager by navigating to the site's URL in a web browser:
https://your-server.example.com/
Configuring the Default Web App
The defaultWebApp site property controls which web app is served at the root URL:
# Show the current default web app
completeftp site show default defaultWebApp
# Set the default web app (default is FileManager2)
completeftp site set default defaultWebApp=FileManager2
# Set a custom web app as the default
completeftp site set default defaultWebApp=MyApp
File Sharing
The built-in File Manager supports file sharing, allowing users to generate secure web links for files and folders. Unlike traditional file transfer (FTP, SFTP), file sharing lets external recipients download or upload files through a browser without needing a CompleteFTP account.
How it works:
- A user logs into the web File Manager
- The user navigates to a file or folder and creates a share link
- CompleteFTP generates a unique secure URL, optionally with an expiry date and password
- The user sends the URL to the recipient
- The recipient opens the link in a browser to download or upload files
Share types:
- Download shares — Recipients can download shared files
- Upload shares — Recipients can upload files to a designated location
Controlling file sharing:
# Check if sharing is enabled
completeftp site show default sharingEnabled
# Enable file sharing
completeftp site set default sharingEnabled=true
# Disable file sharing (existing share links stop working)
completeftp site set default sharingEnabled=false
Note: File sharing requires HTTPS to be enabled on the site. The CompleteBox desktop client (available for Windows and Mac) provides additional sync and sharing capabilities — consult the Windows User Guide for details.
Enabling HTTP/HTTPS Protocols
Web applications require HTTP or HTTPS to be enabled on the site.
# Enable HTTPS (recommended)
completeftp site set default httpsEnabled=true
# Enable HTTP (not recommended for production)
completeftp site set default httpEnabled=true
# Disable HTTP to enforce HTTPS-only access
completeftp site set default httpEnabled=false
# Check current HTTP/HTTPS status
completeftp site show default httpEnabled httpsEnabled
HTTP Basic Authentication
HTTP Basic Authentication allows users to authenticate via standard HTTP headers rather than a login form:
# Enable HTTP Basic Authentication
completeftp site set default httpBasicAuth=true
# Disable HTTP Basic Authentication
completeftp site set default httpBasicAuth=false
HTTP Headers Management
CompleteFTP allows you to configure custom HTTP response headers for each site. This is useful for security hardening, CORS configuration, and caching policies.
Default Security Headers
CompleteFTP includes the following security headers by default:
| Header | Default Value | Purpose |
|---|---|---|
Strict-Transport-Security |
max-age=31536000; includeSubdomains |
Enforce HTTPS connections |
X-Content-Type-Options |
nosniff |
Prevent MIME type sniffing |
Content-Security-Policy |
frame-ancestors 'self' |
Restrict framing of pages |
X-Frame-Options |
sameorigin |
Prevent clickjacking |
X-XSS-Protection |
1; mode=block |
Enable browser XSS filter |
Listing HTTP Headers
# List all custom HTTP headers for a site
completeftp site httpheader list default
Adding or Modifying Headers
# Add or modify an HTTP header
completeftp site httpheader set default "X-Custom-Header" "CustomValue"
# Configure CORS headers
completeftp site httpheader set default "Access-Control-Allow-Origin" "https://app.example.com"
completeftp site httpheader set default "Access-Control-Allow-Methods" "GET, POST, PUT, DELETE"
completeftp site httpheader set default "Access-Control-Allow-Headers" "Content-Type, Authorization"
# Set a custom Content-Security-Policy
completeftp site httpheader set default "Content-Security-Policy" "frame-ancestors 'self' https://trusted.example.com"
# Set cache control headers
completeftp site httpheader set default "Cache-Control" "no-cache, no-store, must-revalidate"
Removing Headers
# Remove a custom HTTP header
completeftp site httpheader remove default "X-Custom-Header"
Note: Removing a default security header will reduce the security posture of your site. Only remove default headers if you have a specific reason and understand the implications.
MIME Types Management
MIME types tell the browser how to handle different file types. CompleteFTP comes with standard MIME type mappings, and you can add or modify them as needed.
Listing MIME Types
# List all MIME types for a site
completeftp site mimetype list default
Adding or Modifying MIME Types
# Add a MIME type mapping
completeftp site mimetype set default ".json" "application/json"
# Add MIME types for custom file formats
completeftp site mimetype set default ".csv" "text/csv"
completeftp site mimetype set default ".yaml" "application/x-yaml"
completeftp site mimetype set default ".wasm" "application/wasm"
# Override a default MIME type
completeftp site mimetype set default ".txt" "text/plain; charset=utf-8"
Removing MIME Types
# Remove a custom MIME type mapping
completeftp site mimetype remove default ".yaml"
Custom Web Applications with JSS
JSS (JavaScript Server-Side) enables server-side scripting for web applications hosted on CompleteFTP. When JSS is enabled, files with the .jss extension are executed as server-side JavaScript rather than served as static files.
Enabling JSS
# Check if JSS is enabled
completeftp site show default jssEnabled
# Enable JSS
completeftp site set default jssEnabled=true
# Disable JSS
completeftp site set default jssEnabled=false
Creating a JSS Web Application
A JSS web application is a collection of .jss files placed in the web app's folder path. Each .jss file can generate dynamic content, access the CompleteFTP virtual file system, and interact with external services.
# 1. Create a directory for the web app
mkdir -p /opt/webapps/myapi
# 2. Create a simple JSS page (example)
cat > /opt/webapps/myapi/index.jss << 'JSS'
response.write("<html><body>");
response.write("<h1>Welcome, " + session.userName + "</h1>");
response.write("<p>Server time: " + new Date() + "</p>");
response.write("</body></html>");
JSS
# 3. Register the web app
completeftp webapp add MyAPI /opt/webapps/myapi
# 4. Ensure JSS is enabled on the site
completeftp site set default jssEnabled=true
JSS Capabilities
JSS scripts have access to the CompleteFTP server-side API, including:
- File system operations - Read, write, move, and delete files in the virtual file system
- HTTP request/response - Access request parameters, headers, and write responses
- Session information - Access the current user's session and authentication details
- FTP/SFTP clients - Connect to remote servers from server-side code
- Database access - Query databases using the DatabaseSync API
- Email - Send emails using the mail API
- .NET interop - Access .NET framework classes directly
Web Application Properties
| Property | Description | Default |
|---|---|---|
folderPath |
Local file system path for the web app files | (set at creation) |
enabled |
Whether the web app is active | true |
Related Site Properties
| Property | Description | Default |
|---|---|---|
defaultWebApp |
Web app served at the root URL | FileManager2 |
httpEnabled |
Enable HTTP protocol | false |
httpsEnabled |
Enable HTTPS protocol | true |
httpBasicAuth |
Enable HTTP Basic Authentication | false |
jssEnabled |
Enable JSS server-side scripting | false |
sharingEnabled |
Enable file sharing links in File Manager | false |
Workflow Examples
Deploy a Custom Web Portal
Deploy a custom HTML/CSS/JavaScript web portal for customers:
# 1. Prepare the web app directory
mkdir -p /opt/webapps/customer-portal
# 2. Copy your web application files into the directory
cp -r /path/to/portal-build/* /opt/webapps/customer-portal/
# 3. Register the web app with CompleteFTP
completeftp webapp add CustomerPortal /opt/webapps/customer-portal
# 4. Set it as the default web app
completeftp site set default defaultWebApp=CustomerPortal
# 5. Ensure HTTPS is enabled
completeftp site set default httpsEnabled=true
Set Up File Manager with Sharing
Configure the built-in File Manager with file sharing and security headers:
# 1. Ensure HTTPS is enabled and HTTP is disabled
completeftp site set default httpsEnabled=true
completeftp site set default httpEnabled=false
# 2. Enable file sharing
completeftp site set default sharingEnabled=true
# 3. Verify the default web app is FileManager2
completeftp site show default defaultWebApp
# 4. Add additional security headers
completeftp site httpheader set default "Referrer-Policy" "strict-origin-when-cross-origin"
completeftp site httpheader set default "Permissions-Policy" "camera=(), microphone=(), geolocation=()"
Build a JSS API Endpoint
Create a server-side API for integration with other systems:
# 1. Create the API directory
mkdir -p /opt/webapps/api
# 2. Create an API endpoint (example)
cat > /opt/webapps/api/status.jss << 'JSS'
response.contentType = "application/json";
var result = {
server: system.serverName,
time: new Date().toISOString(),
user: session.userName
};
response.write(JSON.stringify(result));
JSS
# 3. Register the web app
completeftp webapp add API /opt/webapps/api
# 4. Enable JSS on the site
completeftp site set default jssEnabled=true
# 5. Set the appropriate MIME type for JSON
completeftp site mimetype set default ".json" "application/json"
Configure CORS for an External Application
Allow a separate frontend application to access CompleteFTP's web APIs:
# Set CORS headers on the site
completeftp site httpheader set default "Access-Control-Allow-Origin" "https://frontend.example.com"
completeftp site httpheader set default "Access-Control-Allow-Methods" "GET, POST, PUT, DELETE, OPTIONS"
completeftp site httpheader set default "Access-Control-Allow-Headers" "Content-Type, Authorization"
completeftp site httpheader set default "Access-Control-Allow-Credentials" "true"
Serve Custom Static Content with MIME Types
Host a web app with custom file types:
# 1. Register the web app
completeftp webapp add Documentation /opt/webapps/docs
# 2. Add MIME types for custom content
completeftp site mimetype set default ".md" "text/markdown"
completeftp site mimetype set default ".svg" "image/svg+xml"
completeftp site mimetype set default ".woff2" "font/woff2"
completeftp site mimetype set default ".webp" "image/webp"
# 3. Set caching headers for static assets
completeftp site httpheader set default "Cache-Control" "public, max-age=86400"
Troubleshooting
Web App Not Accessible
# Check that HTTP or HTTPS is enabled
completeftp site show default httpEnabled httpsEnabled
# Verify the web app exists and is enabled
completeftp webapp show MyApp enabled folderPath
# Check the default web app setting
completeftp site show default defaultWebApp
# Verify the web app folder exists and contains files
ls -la /opt/webapps/myapp/
File Manager Login Fails
# Verify the user account exists and is enabled
completeftp user show alice enabled
# Check that HTTP Basic Auth is configured if needed
completeftp site show default httpBasicAuth
# Verify HTTPS certificate is valid
completeftp site show default sslCertificate.commonName sslCertificate.validTo
JSS Scripts Not Executing
# Verify JSS is enabled on the site
completeftp site show default jssEnabled
# Ensure the file has the .jss extension
ls -la /opt/webapps/myapp/*.jss
# Check server logs for JSS errors
completeftp monitor set logging.level=Debug
# Test with a minimal JSS script
cat > /opt/webapps/myapp/test.jss << 'JSS'
response.write("JSS is working");
JSS
Custom Headers Not Applied
# List all custom headers
completeftp site httpheader list default
# Verify the header is set correctly
# Note: Headers are applied to HTTP/HTTPS responses only
# Test with curl to see response headers
curl -I https://your-server.example.com/
MIME Type Issues
# List current MIME types
completeftp site mimetype list default
# Verify the MIME type is set for the file extension
# Ensure the extension includes the leading dot
completeftp site mimetype set default ".ext" "application/octet-stream"
Best Practices
Security
- Use HTTPS only - Disable HTTP and enforce HTTPS for all web access
- Keep default security headers - Do not remove the built-in security headers unless you have a specific need
- Restrict CORS origins - Never use
*forAccess-Control-Allow-Originin production - Enable HTTP Basic Auth carefully - Only enable when required, as credentials are sent with every request
- Validate JSS input - Always validate and sanitize user input in JSS scripts
Performance
- Use caching headers - Set appropriate
Cache-Controlheaders for static assets - Minimize JSS processing - Keep server-side logic efficient; offload heavy processing to external services
- Optimize static assets - Minify CSS and JavaScript, compress images before deploying
Deployment
- Version your web apps - Use versioned directory names (e.g.,
/opt/webapps/portal-v2) for easy rollback - Test before switching - Deploy a new web app alongside the existing one before changing
defaultWebApp - Document custom headers - Keep a record of any custom HTTP headers and their purpose
- Monitor MIME types - Add MIME types for any custom file formats your web app serves
Maintenance
- Review web apps regularly - Remove unused web applications to reduce the attack surface
- Update security headers - Stay current with recommended HTTP security header values
- Audit JSS scripts - Review server-side scripts for security vulnerabilities
- Back up web app files - Include web application directories in your backup strategy
Quick Reference
Web App Management Commands
# List web apps
completeftp webapp list [properties]
# Show web app details
completeftp webapp show <webAppName> [properties]
# Add web app
completeftp webapp add <webAppName> <folderPath>
# Modify web app
completeftp webapp set <webAppName> property=value
# Remove web app
completeftp webapp remove <webAppName>
Web App Mapping Commands
# Show mappings
completeftp webapp mapping show <webAppName> [site]
# Set mapping properties
completeftp webapp mapping set <webAppName> <site> property=value
HTTP Header Commands
# List headers
completeftp site httpheader list <siteName>
# Add/modify header
completeftp site httpheader set <siteName> <name> <value>
# Remove header
completeftp site httpheader remove <siteName> <name>
MIME Type Commands
# List MIME types
completeftp site mimetype list <siteName>
# Add/modify MIME type
completeftp site mimetype set <siteName> <name> <value>
# Remove MIME type
completeftp site mimetype remove <siteName> <name>
Related Site Properties
defaultWebApp=FileManager2 # Default web app at root URL
httpEnabled=true/false # Enable HTTP protocol
httpsEnabled=true/false # Enable HTTPS protocol
httpBasicAuth=true/false # Enable HTTP Basic Authentication
jssEnabled=true/false # Enable JSS server-side scripting
sharingEnabled=true/false # Enable file sharing in File Manager
Default Security Headers
Strict-Transport-Security: max-age=31536000; includeSubdomains
X-Content-Type-Options: nosniff
Content-Security-Policy: frame-ancestors 'self'
X-Frame-Options: sameorigin
X-XSS-Protection: 1; mode=block