I run 0807, a small self-hosted file host. Drop a file, get a short link, and choose when it disappears.
What it does:
- No account, no ads, no trackers
- Auto-delete by time (1 hour up to 30 days, or never) or after a set number of downloads
- Optional password protection on files and on text notes
- Files up to 20 GB, with 16 TB of storage behind it
- Reachable over Tor through an onion service
- Text notes with the same self-destruct and password options
- A few file types are blocked for safety (exe, bat, scripts, and similar)
PS: there is no end-to-end encryption, and that is deliberate. The server can read what is stored.
I want to be able to take illegal uploads down when they get reported, CSAM in particular.
End-to-end encryption would make the server blind to its own contents, which is great for privacy but would also stop me from acting on those reports.
If you need real secrecy, encrypt the file before you upload it. The password option is there for casual privacy (not as protection from me or from whoever might get into the server.)
The code is open, and I host it the same way I host the files, on my own server instead of HERE .
You can read it, propose a change, or open an issue there, no account needed
Happy to answer questions about the setup or take feedback.
Doesn’t allow exe files
Introducing my totally real image called calc.jpg that is totally not a pe file with a different extension!
Anyway, prepare to have your file hoster be used to host malware payloads
I was thinking surely it doesn’t just look at the extension and instead uses the mime type at the backend… After looking for a minute (on mobile) I think thats what it does.
process.env.BLOCKED_EXT === undefined ? ‘exe,bat,cmd,com,scr,msi,vbs,ps1,sh,jar’ : process.env.BLOCKED_EXT)
You read it right, BLOCKED_EXT is just an extension list and renaming walks straight past it. But that list was never the malware check, it only stops someone uploading payload.exe
Mime sniffing wouldn’t have caught it either, since that value rides along in the request and a renamed upload just lies about it.
The actual defense is ClamAV, same file if you grep clamScan and CLAMAV_SCAN, and it reads what’s inside the file instead of the name. I tried the calc.jpg trick for real, an EICAR test renamed to calc.jpg sent as image/jpeg, and the upload came back refused.
Clamav is woefully behind on definitions, just be aware of that.
you can install updated filters for it, though. Just check out fangfrisch.
Linux systems don’t rely on extensions to tell a file’s type afaik
Hey, hey, hey! Welcome back @0807.! You’ve made some changes, polished it up a bit, made it selfhostable. Awesome! I could see this being used ‘inhouse’. I’m wouldn’t be comfortable exposing this to the general public tho, for obvious reasons. The internet can be a very beneficial tool, but at the same time be a filthy, rotten, cespool. I’d rather not get dirty. I have bookmarked the source files at https://src.0807.st/, and dropped it in my projects folder. Thanks again for sharing your project.
Hi, first of all, thanks for the kind comment, @irmadlad
Yes, you probably saw my old post (which was incomplete) and which I ended up deleting. I’ve been able to add quite a few useful things to the project, and I’ll continue to maintain it and upload updates to the subdomain (src.0807.st)
And of course, I’ll always advise people to run this locally to minimize risk :)
That’s totally awesome dude. Is this your first project or maybe your first project you’ve released?
Is the name of the service a reference to anything?
What happens if you run out of space because of too many uploads that are set to never expire?
(Also it’s neat! Thanks!)
Hello, yes, the name refers to the webtoon (08/07). It’s an anthology of horror stories. https://www.webtoons.com/en/canvas/0807/list?title_no=848743
As for the stored files whose retention period is set to never they do indeed remain online I monitor their status rather than letting them accumulate unchecked.
There is a configurable storage limit and once it’s reached, the server blocks any new uploads instead of silently deleting or overwriting existing files.
There’s also an (optional cleanup feature) for files that haven’t been used in a long time, which I can enable if I ever run out of space.
With 16 TB, I have plenty of leeway and since I manage the server myself I can add disks or sort through the files manually if necessary. No files without an expiration date are automatically deleted.
And thanks I’m glad you like it :)
Do you mitigate potential abuse where someone deliberately tries to upload as much as they can as fast as possible?
Thank you for making this!
Do you keep in touch with the other folks who run cool filehosts? The only other one i know like this is catbox, but it is a similar vibe.
Hi, first of all thanks for the nice comment.
And yes, I’m in touch with some people who run file-hosting services, and they’ve helped me a lot.
Catbox is a good file-hosting service, but unfortunately it doesn’t support files larger than 200MB
deleted by creator





