DumbDrop

A stupid simple file upload application that provides a clean, modern interface for dragging and dropping files. Built with Node.js and vanilla JavaScript.

No auth (unless you want it now!), no storage, no nothing. Just a simple file uploader to drop dumb files into a dumb folder.

Table of Contents

• Quick Start
• Production Deployment with Docker
• Local Development (Recommended Quick Start)
• Features
• Configuration
• Security
• Technical Details
• Demo Mode
• Contributing
• License

Quick Start

Option 1: Docker (For Dummies)

# Pull and run with one command
docker run -p 3000:3000 -v ./uploads:/app/uploads dumbwareio/dumbdrop:latest

1. Go to http://localhost:3000
2. Upload a File - It'll show up in ./uploads
3. Celebrate on how dumb easy this was

Option 2: Docker Compose (For Dummies who like customizing)

Create a docker-compose.yml file:

services:
  dumbdrop:
    image: dumbwareio/dumbdrop:latest
    ports:
      - 3000:3000
    volumes:
      # Where your uploaded files will land
      - ./uploads:/app/uploads
    environment:
      # Explicitly set upload directory inside the container
      UPLOAD_DIR: /app/uploads
      # The title shown in the web interface
      DUMBDROP_TITLE: DumbDrop
      # Maximum file size in MB
      MAX_FILE_SIZE: 1024
      # Optional PIN protection (leave empty to disable)
      DUMBDROP_PIN: 123456
      # Upload without clicking button
      AUTO_UPLOAD: false
      # The base URL for the application
      # You must update this to the url you use to access your site
      BASE_URL: http://localhost:3000

Then run:

docker compose up -d

1. Go to http://localhost:3000
2. Upload a File - It'll show up in ./uploads
3. Rejoice in the glory of your dumb uploads

Note: The UPLOAD_DIR environment variable is now explicitly set to /app/uploads in the container. The Dockerfile only creates the uploads directory, not local_uploads. The host directory ./uploads is mounted to /app/uploads for persistent storage.

Option 3: Running Locally (For Developers)

For local development setup, troubleshooting, and advanced usage, see the dedicated guide:

👉 Local Development Guide

Features

• 🚀 Drag and drop file uploads
• 📁 Multiple file selection
• 🎨 Clean, responsive UI with Dark Mode
• 📦 Docker support with easy configuration
• 📂 Directory upload support (maintains structure)
• 🔒 Optional PIN protection
• 📱 Mobile-friendly interface
• 🔔 Configurable notifications via Apprise
• ⚡ Zero dependencies on client-side
• 🛡️ Built-in security features
• 💾 Configurable file size limits
• 🎯 File extension filtering
• 📋 Optional file listing with download/delete functionality

Configuration

Environment Variables

| Variable | Description | Default | Required | | -------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------- | -------- | | PORT | Server port | 3000 | No | | BASE_URL | Base URL for the application | http://localhost:PORT | No | | MAX_FILE_SIZE | Maximum file size in MB | 1024 | No | | DUMBDROP_PIN | PIN protection (4-10 digits) | None | No | | DUMBDROP_TITLE | Site title displayed in header | DumbDrop | No | | APPRISE_URL | Apprise URL for notifications | None | No | | APPRISE_MESSAGE | Notification message template | New file uploaded {filename} ({size}), Storage used {storage} | No | | APPRISE_SIZE_UNIT | Size unit for notifications (B, KB, MB, GB, TB, or Auto) | Auto | No | | AUTO_UPLOAD | Enable automatic upload on file selection | false | No | | SHOW_FILE_LIST | Enable file listing with download and delete functionality | false | No | | ALLOWED_EXTENSIONS | Comma-separated list of allowed file extensions | None | No | | ALLOWED_IFRAME_ORIGINS (deprecated: see ALLOWED_ORIGINS) | Comma-separated list of origins allowed to embed the app in an iframe | None | No | | ALLOWED_ORIGINS | You can restrict CORS to your BASE_URL or a comma-separated list of specified origins, which will automatically include your base_url | '*' | No | | UPLOAD_DIR | Directory for uploads (Docker/production; should be /app/uploads in container) | None (see LOCAL_UPLOAD_DIR fallback) | No | | LOCAL_UPLOAD_DIR | Directory for uploads (local dev, fallback: './local_uploads') | ./local_uploads | No | | TRUST_PROXY | Trust proxy headers (X-Forwarded-For) - only enable if behind a reverse proxy | false | No | | TRUSTED_PROXY_IPS | Comma-separated list of trusted proxy IPs (optional, requires TRUST_PROXY=true) | None | No |

• UPLOAD_DIR is used in Docker/production. If not set, LOCAL_UPLOAD_DIR is used for local development. If neither is set, the default is ./local_uploads.
• Docker Note: The Dockerfile now only creates the uploads directory inside the container. The host's ./local_uploads is mounted to /app/uploads and should be managed on the host system.
• BASE_URL: If you are deploying DumbDrop under a subpath (e.g., https://example.com/watchfolder/), you must set BASE_URL to the full path including the trailing slash (e.g., https://example.com/watchfolder/). All API and asset requests will be prefixed with this value. If you deploy at the root, use https://example.com/.
• BASE_URL must end with a trailing slash. The app will fail to start if this is not the case.

See .env.example for a template and more details.

<details> <summary>Reverse Proxy Configuration (TRUST_PROXY)</summary>

Important Security Notice

By default, DumbDrop does not trust proxy headers like X-Forwarded-For. This prevents attackers from spoofing IP addresses to bypass rate limiting and PIN brute-force protection.

When to Enable TRUST_PROXY

Only enable TRUST_PROXY=true if you are deploying DumbDrop behind a trusted reverse proxy such as:

• Nginx
• Apache
• Caddy
• Traefik
• Cloudflare
• Other CDN or load balancer

Basic Configuration

If behind a single reverse proxy:

TRUST_PROXY=true

Advanced Configuration (Recommended)

For additional security, specify the exact IP addresses of your trusted proxies:

TRUST_PROXY=true
TRUSTED_PROXY_IPS=172.17.0.1,10.0.0.1

Common proxy IPs:

• Docker default bridge: 172.17.0.1
• Docker Compose networks: Check with `dock