A tiny, self-hosted upload target for ShareX and similar clients. Runs on Node.js and stores uploads on disk.
- File uploads (including text, image, GIF, MP4 etc)
- Simple files directory listing with configurable endpoint
- Downloadable .sxcu file endpoint (/api/sxcu)
- Setting Base URL
- Custom generated filename length
🐳 Docker is the recommended way to run ShareX Server! See Docker Hub for setup instructions.
npm install sharex-server-
import { ShareXServer } from "sharex-server"; new ShareXServer({ password: "s3cret", port: 8080, savePath: "./uploads" });
All options accepted by the ShareXServer constructor:
password(string) - REQUIRED. The password clients must send as thex-passwordheader to upload files.port(number, default8080) - TCP port the server listens on.baseUrl(string, default/) - Base URL the server will run on.savePath(string, default./uploads) - Filesystem directory where uploads are stored. The server ensures this directory exists. On Windows prefer an absolute path to avoid a leading/being prefixed when resolving.filenameLength(number, default10) - Length passed tonanoid()used to generate short random filenames.enableSxcu(boolean, defaultfalse) - Whentruethe server exposes a simple endpoint to get a downloadable .sxcu atGET /api/sxcu.fileListing(string | false, defaultfiles) - Path to file listing of uploads. Set tofalseto disable the listing.debug(boolean, defaultfalse) - Enable verbose debug logging to the console.forceHttps(boolean | undefined) - Force HTTPS for return URL (useful when running behind reverse proxy)trustProxy(boolean, defaultfalse) - Sets Express trust proxy to true; Useful for getting your X-Forwarded-For IP from reverse proxy when running with debug enabled; Also enables forceHttps if not explicitly set to a boolean
- The server saves uploaded files directly under
savePathand will serve any file in that directory - do not pointsavePathat directories containing sensitive data. - The upload flow is protected only by the
x-passwordheader - run behind HTTPS and/or restrict access with a firewall or reverse proxy for production deployments. - The code sets
this.#fsPath = join("./", this.savePath). If you encounter path problems on Windows, setsavePathto an absolute Windows path (e.g.C:\data\uploads). - Ensure the Node process has permission to create and write to
savePath.
- Endpoint:
POST /api/upload(multipart form, field namefile). - Auth: include header
x-password: <your-password>. - Success response: JSON containing a
urlpointing to the uploaded file. - Error response: JSON containing an
errorproperty with status code 400 for missing file and 401 for missing/incorrect password.
Example (PowerShell / pwsh):
curl -X POST "http://localhost:8080/api/upload" -H "x-password: s3cret" -F "file=@C:\path\to\file.jpg"Example (Linux / macOS):
curl -X POST "http://localhost:8080/api/upload" \
-H "x-password: s3cret" \
-F "file=@/path/to/file.jpg"-
GET /:filename- Purpose: Download a previously uploaded file. The server streams the file from disk.
- Response: 200 with file body and
Content-Typederived via themime-typeslookup (falls back toapplication/octet-stream). - Response: 404 if file does not exist.
-
GET /files(or the configuredfileListingpath)- Purpose: Optional file listing page with links and upload timestamps. Disabled when
fileListingisfalse. - Response: Simple HTML list of links to the uploaded files and their upload dates`.
- Purpose: Optional file listing page with links and upload timestamps. Disabled when
-
GET /api/sxcu- Purpose: When
enableSxcuistrue, will return a .sxcu file to be used with ShareX.
- Purpose: When
Note: All endpoints take the configured
baseUrlinto account.
This means that every URL will be prefixed with thebaseUrlyou have configured. (example:GET /baseUrl/files)
- Filenames are generated as:
{nanoid(length)}.{ext}whereextuses the uploaded file's original extension if it has one. - A collision safeguard checks whether a file with the generated name already exists and regenerates until successful. The probability of collision is extremely low with
nanoid.