filecoffee · lukasvdberk · Oct 21, 2025 · Oct 21, 2025 · Oct 22, 2025 · Oct 22, 2025
diff --git a/.env.example b/.env.example
@@ -21,6 +21,9 @@ PORT=3000
  # Comma-separated list of API keys
 API_KEYS=key1,key2,key3
 
+# Enable the web upload page (default: false)
+ENABLE_UPLOAD_PAGE=false
+
 # This is the maximum file size that can be uploaded and the max file name length. '-1' is unlimited file size, not recommended.
 FILE_NAME_LENGTH=10
 FILE_MAX_SIZE_MB=30
diff --git a/.gitignore b/.gitignore
@@ -135,3 +135,4 @@ dist
 .yarn/build-state.yml
 .yarn/install-state.gz
 .pnp.*
+CLAUDE.md
diff --git a/README.md b/README.md
@@ -43,6 +43,12 @@ We also recommend forking the project and deploying your forked version to avoid
 - [ ] Advertising support
 - [ ] NSFW detection and filtering
 
+### Web Upload Page
+The built-in web upload page at `/upload` is disabled by default. To enable it, set the following in your `.env`:
+```
+ENABLE_UPLOAD_PAGE=true
+```
+
 ### S3 Compatible Storage
 For the s3 compatbile storage engine, we recommend using Contabo Object Storage. It's a cheap (2,50/mth for 250GB with unlimited bandwidth at 80mbps) and really easy to set up. Just make an account, get the object storage, make a bucket and fill in the details in the `.env` and it _just works_.
 

diff --git a/index.js b/index.js
@@ -10,8 +10,20 @@ const port = process.env.PORT;
 const hosterEmail = process.env.HOSTER_EMAIL;
 
 app.set("view engine", "ejs");
+app.use(express.static("public"));
+app.use(helmet({
+  contentSecurityPolicy: {
+    directives: {
+      defaultSrc: ["'self'"],
+      scriptSrc: ["'self'"],
+      styleSrc: ["'self'", "'unsafe-inline'", "https://cdn.jsdelivr.net"],
+      imgSrc: ["'self'", "data:", "https:"],
+      connectSrc: ["'self'"],
+      fontSrc: ["'self'", "https://cdn.jsdelivr.net"],
+    },
+  },
+}));
 app.use(fileRoutes);
-app.use(helmet());
 
 const s3 = require("./engines/s3.engine");
 const local = require("./engines/local.engine");
@@ -57,6 +69,23 @@ app.get("/", async (req, res) => {
   });
 });
 
+const enableUploadPage = process.env.ENABLE_UPLOAD_PAGE === "true";
+
+app.get("/upload", (req, res) => {
+  if (!enableUploadPage) {
+    return res.status(404).send("Upload page is disabled.");
+  }
+  res.render("upload");
+});
+
+app.get("/api/config", (req, res) => {
+  res.json({
+    maxFileSize: parseInt(process.env.FILE_MAX_SIZE_MB, 10) * 1024 * 1024,
+    maxFileSizeMB: parseInt(process.env.FILE_MAX_SIZE_MB, 10),
+    fileNameLength: parseInt(process.env.FILE_NAME_LENGTH, 10) || 10,
+  });
+});
+
 app.listen(port, () => {
   console.log(`Server is running on port ${port}`);
 });
diff --git a/package.json b/package.json
@@ -1,5 +1,6 @@
 {
   "scripts": {
+    "dev": "node index.js",
     "test": "jest"
   },
   "jest": {