This guide covers installing ServeBox, running it safely, all supported CLI flags, and common examples.
ServeBox requires Python 3.11 or newer.
python -m venv .venv
source .venv/bin/activate
pip install -r requirements.txtOn systems where Python is exposed as python3:
python3 -m venv .venv
source .venv/bin/activate
pip install -r requirements.txtServe a directory with:
python -m servebox <root-directory> --port 9999The root directory becomes / in the browser. For example:
python -m servebox ~/Downloads --port 9999Then open:
http://127.0.0.1:9999root Required. Directory exposed as / in the web UI.
--host HOST Bind host. Default: 127.0.0.1.
--port PORT Bind port. Default: 9999.
--token TOKEN Require token auth for UI, file, and API routes.
--readonly Disable upload, mkdir, rename, and delete.
--show-hidden Show dotfiles and dot directories.
--max-upload-mb MB Maximum upload size per file. Default: 512.
--max-preview-mb MB Maximum text preview size. Default: 5.
--max-search-results COUNT Maximum recursive search results. Default: 500.
--exclude NAMES Comma-separated directory names skipped by search.
--allow-no-token-on-lan Allow --host 0.0.0.0 without --token.Default excluded search directories:
.git,node_modules,__pycache__,venv,.venv,dist,build,target,.idea,.vscodeServe your home directory on localhost:
python -m servebox ~/ --host 127.0.0.1 --port 9999Serve the current directory:
python -m servebox . --port 9999Serve Downloads in readonly mode:
python -m servebox ~/Downloads --readonlyServe Downloads and show hidden files:
python -m servebox ~/Downloads --show-hiddenServe to your LAN with token auth:
python -m servebox ~/Downloads --host 0.0.0.0 --port 9999 --token mysecretOpen with the token in the URL:
http://<machine-ip>:9999/browse?token=mysecretServe to LAN without token auth, only if you accept the risk:
python -m servebox ~/Downloads --host 0.0.0.0 --port 9999 --allow-no-token-on-lanLimit upload size to 100 MB per file:
python -m servebox ~/Downloads --max-upload-mb 100Limit text previews to the first 2 MB:
python -m servebox ~/Downloads --max-preview-mb 2Limit search results:
python -m servebox ~/Downloads --max-search-results 100Customize excluded search directories:
python -m servebox ~/Projects --exclude .git,node_modules,.cache,tmpThe top bar shows the app name, selected root path, write mode, search, and logout when token auth is enabled.
The sidebar lazily loads child folders. It does not recursively load the full directory tree on page load.
The main browser includes:
- Breadcrumb navigation.
- Current directory filter.
- Upload button and drag/drop zone when not readonly.
- File table with name, type, size, modified time, and actions.
- View, download, copy path, rename, and delete actions.
Delete uses a confirm modal. It does not require typing the full path.
The search box in the top bar performs case-insensitive recursive filename search. It behaves like:
find . -iname "*query*"Search can run from the root or the current directory, depending on the scope selector. It skips excluded directory names and stops at --max-search-results.
Uploads are allowed unless --readonly is set.
ServeBox supports:
- Multiple file selection.
- Drag and drop.
- Per-file upload limit through
--max-upload-mb. - Safe filename validation.
- Auto-renaming instead of overwriting.
If file.txt already exists, uploads become:
file (1).txt
file (2).txtServeBox previews common file types:
- Text and code files in a monospace viewer.
- Images inline.
- PDFs in an embedded viewer.
- Audio through an HTML5 audio player.
- Video through an HTML5 video player.
Unknown or binary files show metadata and a download action.
Text previews are limited by --max-preview-mb.
When --token is set, ServeBox requires authentication.
You can log in through:
http://127.0.0.1:9999/loginOr include the token in a direct URL:
http://127.0.0.1:9999/browse?token=mysecretThe login stores the token in an HTTP-only cookie.
Readonly mode disables write operations:
python -m servebox ~/Downloads --readonlyDisabled operations:
- Upload.
- Create folder.
- Rename.
- Delete.
Browsing, previewing, downloading, and searching still work.
ServeBox confines every request to the configured root directory.
The safe resolver:
- Treats browser paths as relative paths under the root.
- Rejects absolute paths.
- Rejects null bytes and malformed paths.
- Resolves
..traversal. - Resolves symlinks.
- Allows access only when the resolved target is the root or inside it.
Symlinks that point outside the root are blocked.
If python is not found, use python3.
If pytest or FastAPI imports fail, install dependencies:
pip install -r requirements.txtIf port 9999 is already in use, choose another port:
python -m servebox ~/Downloads --port 10000If another device cannot connect, check:
- ServeBox is running with
--host 0.0.0.0. - The URL uses the machine IP, not
127.0.0.1. - A firewall is not blocking the port.
- Token auth is included or you are logged in.
Run tests:
pytestRun with dependencies through uv if your system Python has no venv or pip:
uv run --with fastapi --with uvicorn --with jinja2 --with python-multipart --with aiofiles --with pytest python -m pytest -q