DataDock is a lightweight, self-contained file & text sharing server built with .NET 9 and compiled as a Native AOT single-file binary. It has zero runtime dependencies β just copy and run.
Users connect directly through any modern web browser to upload, share, download and manage files and text snippets.
| Feature | Details |
|---|---|
| Zero-dependency binary | Single executable, Native AOT, minimal memory usage |
| File & text sharing | Drag & drop upload, text snippet storage |
| Three security modes | No-auth / Auth (TOTP) / Mixed |
| TOTP authentication | RFC 6238, shared secret, no external IdP needed |
| Multilingual UI | English + ΩΨ§Ψ±Ψ³Ϋ (Persian), auto RTL/LTR |
| HTTP + HTTPS | Configurable ports, optional PFX certificate |
| SHA-256 integrity | Hash computed on every upload |
| Retention policy | Optional auto-delete after N days |
| Multi-source config | CLI β Env vars β DB β appsettings.json β defaults |
# Run on default HTTP port 6440 (no auth)
./datadock
# Open in browser
http://localhost:6440Settings are merged in this priority order (highest β lowest):
- CLI arguments
- Environment variables (
DATADOCK_*prefix) - Database-stored settings (saved via Web UI)
appsettings.json- Built-in defaults
| Key | Default | Description |
|---|---|---|
HttpPort |
6440 |
HTTP listening port |
HttpsPort |
6441 |
HTTPS listening port |
UseHttps |
false |
Enable HTTPS |
SecurityMode |
NoAuth |
NoAuth / Auth / Mixed |
TotpSecret |
(empty) | Base-32 TOTP shared secret |
PfxPath |
(empty) | Path to PFX/PKCS#12 file |
PfxPassword |
(empty) | PFX file password |
MaxUploadSizeMb |
0 |
Max upload size (0 = unlimited) |
UploadsPath |
./uploads |
Upload directory |
DatabasePath |
./datadock.db |
Database file path |
SessionMinutes |
720 |
Auth cookie lifetime (in minutes; 720 = 12 h) |
RetentionDays |
0 |
Auto-delete after N days (0 = disabled) |
DATADOCK_HTTP_PORT=8080
DATADOCK_HTTPS_PORT=8443
DATADOCK_USE_HTTPS=true
DATADOCK_SECURITY_MODE=Mixed
DATADOCK_TOTP_SECRET=JBSWY3DPEHPK3PXP
DATADOCK_PFX_PATH=/certs/server.pfx
DATADOCK_PFX_PASSWORD=mypassword
DATADOCK_MAX_UPLOAD_SIZE_MB=500
DATADOCK_ALLOWED_IPS=192.168.1.0/24,2001:db8::/32
DATADOCK_RETENTION_DAYS=7Fully open. Any user can upload, download, view and delete items.
All operations require authentication.
- Anonymous users: can view and download items marked as public only.
- Authenticated admin: full access (upload, download, delete, toggle public).
datadock [OPTIONS]
OPTIONS
--port <number> HTTP port (default: 6440)
--https-port <number> HTTPS port (default: 6441)
--use-https <true|false> Enable HTTPS (default: false)
--pfx-path <path> PFX certificate path
--pfx-password <password> PFX password
--security-mode <mode> NoAuth | Auth | Mixed (default: NoAuth)
--no-auth Shorthand for --security-mode NoAuth
--totp-secret <secret> Base-32 TOTP secret
--max-upload-size-mb <n> Upload size limit (0=unlimited) (default: 0)
--allowed-ips <list> Comma-separated allowed IPs / CIDR ranges (IPv4 & IPv6).
Empty = allow all. Loopback (127.0.0.1 / ::1) is
always allowed regardless of this setting. Examples:
"192.168.1.10" IPv4 single
"192.168.1.0/24" IPv4 subnet
"2001:db8::1" IPv6 single
"2001:db8::/32" IPv6 subnet
"10.0.0.0/8,2001:db8::/32" mixed entries
--show-qr Start a QR-code-only server for TOTP setup
(requires Auth or Mixed + --totp-secret)
--config-db Start a web panel to manage database settings
--help | -h Show help
# Simple HTTP, no auth
./datadock --port 8080
# Auth TOTP
./datadock --security-mode Auth --totp-secret JBSWY3DPEHPK3PXP
# Mixed mode with HTTPS
./datadock --security-mode Mixed --totp-secret JBSWY3DPEHPK3PXP \
--use-https true --pfx-path ./cert.pfx --pfx-password s3cr3t
# Custom upload limit (500 MB)
./datadock --max-upload-size-mb 500
# 7-day retention
DATADOCK_RETENTION_DAYS=7 ./datadockBeyond the normal server, DataDock has two single-purpose startup modes.
Spins up a minimal HTTP server that serves only a QR-code page for scanning with Google Authenticator, Aegis, or any TOTP app. Every URL on that server returns the same page; no items or uploads are accessible.
Requirements: --security-mode Auth or Mixed plus --totp-secret.
./datadock --show-qr --security-mode Auth --totp-secret JBSWY3DPEHPK3PXP
# Open http://localhost:6440 β scan QR code β Ctrl+C β restart normallyThe page displays the QR code image, the raw Base-32 secret, and the otpauth:// URI. Once you've scanned it, stop the process and start DataDock normally.
Opens a web-based configuration panel that reads and writes settings stored in the database. These DB-stored settings sit below env vars and CLI flags in the precedence order, so they are a convenient way to persist defaults without editing appsettings.json.
No authentication is required for the config panel β run it only on a trusted network or loopback, then stop it before starting the normal server.
./datadock --config-db
# Open http://localhost:6440 β adjust settings β Save β Ctrl+C β restart normallyConfigurable keys: HttpPort, HttpsPort, UseHttps, SecurityMode, TotpSecret, PfxPath, PfxPassword, MaxUploadSizeMb, UploadsPath, SessionMinutes, RetentionDays, AllowedIps.
| Method | Path | Description |
|---|---|---|
GET |
/ |
Web UI (SPA) |
GET |
/health |
Health check {"status":"ok"} |
DataDock/
βββ src/DataDock/
β βββ Configuration/ AppConfig, ConfigurationLoader, HelpPrinter
β βββ Endpoints/ Auth, Item, Health, Static route handlers
β βββ Middleware/ RateLimitMiddleware
β βββ Models/ DockItem
β βββ Serialization/ AppJsonContext (AOT JSON source generation)
β βββ Services/ DatabaseService, ItemService, TotpHelper,
β β RateLimiter, AccessControl, FileNameSanitizer
β βββ wwwroot/ index.html, styles.css, app.js (embedded in binary)
β βββ appsettings.json
β βββ Program.cs
βββ tests/DataDock.Tests/
βββ ConfigurationPrecedenceTests.cs
βββ AccessControlTests.cs
βββ FileValidationTests.cs
cd src/DataDock
dotnet build
dotnet rundotnet test# Linux x64
dotnet publish src/DataDock -c Release -r linux-x64 -o ./publish
# Windows x64
dotnet publish src/DataDock -c Release -r win-x64 -o ./publish
# macOS arm64 (Apple Silicon)
dotnet publish src/DataDock -c Release -r osx-arm64 -o ./publishThe output is a single self-contained executable with the Web UI embedded inside.
Prerequisites for Native AOT on Linux:
sudo apt install clang zlib1g-dev
./uploads/
{guid}/
{sanitized-filename} β uploaded file
{guid}/
datadock-{guid}.txt β long text (> 4 KB)
Short texts (β€ 4 KB) are stored inline in the database. Each item gets a server-assigned GUID to prevent collisions and path traversal.
The web interface ships with English and ΩΨ§Ψ±Ψ³Ϋ (Persian) locale files embedded in the binary.
| Language | Code | Direction |
|---|---|---|
| English | en |
LTR |
| Persian (ΩΨ§Ψ±Ψ³Ϋ) | fa |
RTL |
- The UI auto-detects the preferred language from the browser's
Accept-Languageheader and defaults to English if no match is found. - Layout direction (LTR / RTL) switches automatically β no manual configuration needed.
- The font list changes automatically based on the active language so the most suitable typeface is selected for each script.
- Locale files are at
src/wwwroot/locales/{en,fa}.json. To add a new language, add a JSON file with the same keys and ametablock specifyingname,dir("ltr"or"rtl"), andfonts.
- Generate a Base-32 secret (e.g. with
openssl rand -base32 20) - Import it into any authenticator app (Google Authenticator, Aegis, etc.) β most apps accept the raw Base-32 string or a
otpauth://URL - Pass the secret to DataDock:
./datadock --totp-secret YOUR_BASE32_SECRET --security-mode Auth| Asset | Source | License |
|---|---|---|
| UI icons | Lucide Icons | ISC |
See THIRD_PARTY_LICENSES.md for full license text.
MIT
