_____ __ __ ____ ____ ____ ___ ____ |_ _| \/ | _ \| _ \| _ \ / _ \| _ \ | | | |\/| | |_) | | | | |_) | | | | |_) | | | | | | | __/| |_| | _ <| |_| | __/ |_| |_| |_|_| |____/|_| \_\\___/|_| ephemeral file drop // self-hosted // v1.0
Upload a file. Get a link. The link dies on schedule. No accounts, no tracking,
no analytics, no third party. Files served with a strict Content-Security-Policy
sandbox so a malicious upload can't run in your browser.
drop a file
api
One endpoint. Multipart form. Public. No auth.
| method | path | purpose |
|---|---|---|
| POST | /upload | upload a file, get a URL + slug |
| GET | /f/:slug | fetch a file (returns 410 once expired) |
| GET | /healthz | liveness probe |
upload — curl
curl -F [email protected] -F ttl=1h https://tmpdrop.solardev.online/upload
Response (JSON):
{
"url": "https://tmpdrop.solardev.online/f/AbCdEfGhIjKl.png",
"slug": "AbCdEfGhIjKl",
"expires_at": 1717000000,
"size": 18234,
"mime": "image/png"
}
parameters
| field | required | notes |
|---|---|---|
file | yes | multipart file part. Max 25 MB. |
ttl | no | 1h (default) or 24h. Anything else: 400. |
file types
Any file type is accepted. Size is the only gate — see 25 MB above.
Uploads are served with a strict Content-Security-Policy: sandbox
plus X-Content-Type-Options: nosniff, so nothing in an uploaded file
can execute in your browser. text/html and
application/xhtml+xml are additionally forced to download rather
than render inline.
status codes
| code | meaning |
|---|---|
200 | ok |
400 | no file, or bad ttl |
410 | file expired |
413 | over size limit |
429 | rate limited (30 req / min per IP) |
retention & privacy
- Files are deleted from disk + DB the minute they expire. There is no soft-delete.
- URL slugs are 12 chars of base64url (~72 bits of entropy). Not guessable.
- Uploader IPs are stored as a truncated SHA-256, never raw.
- No cookies. No analytics. No third-party requests on this page.