Gathering detailed insights and metrics for http-server
Gathering detailed insights and metrics for http-server
a simple zero-configuration command-line http server
Installations
npm install http-serverDeveloper Guide
BETA
Typescript
No
Module System
CommonJS
Min. Node Version
>=12
Node Version
16.15.0
NPM Version
8.5.5
Releases
12
Languages
3
JavaScript
HTML
Dockerfile
JavaScript (98.32%)
HTML (1.51%)
Dockerfile (0.16%)
Developer
http-party
Download Statistics
Total Downloads
0
Last Day
0
Last Week
0
Last Month
0
Last Year
0
GitHub Statistics
MIT License
13,940 Stars
637 Commits
1,542 Forks
195 Watchers
7 Branches
93 Contributors
Updated on Jul 12, 2025
Maintainers
3
Package Meta Information
Latest Version
14.1.1
Package Id
http-server@14.1.1
Unpacked Size
121.54 kB
Size
58.22 kB
File Count
20
NPM Version
8.5.5
Node Version
16.15.0
Total Downloads
Cumulative downloads
Total Downloads
NaN
Last Day
0%
NaN
Compared to previous day
Last Week
0%
NaN
Compared to previous week
Last Month
0%
NaN
Compared to previous month
Last Year
0%
NaN
Compared to previous year
Weekly Downloads
Monthly Downloads
Yearly Downloads
http-server: a simple static HTTP server
http-server is a simple, zero-configuration command-line static HTTP server. It is powerful enough for production usage, but it's simple and hackable enough to be used for testing, local development and learning.
Installation:
Running on-demand:
Using npx you can run the script without installing it first:
npx http-server [path] [options]
Globally via npm
npm install --global http-server
This will install http-server globally so that it may be run from the command line anywhere.
Globally via Homebrew
brew install http-server
As a dependency in your npm package:
npm install http-server
Usage:
http-server [path] [options]
[path] defaults to ./public if the folder exists, and ./ otherwise.
Now you can visit http://localhost:8080 to view your server
Note: Caching is on by default. Add -c-1 as an option to disable caching.
Available Options:
| Command | Description | Defaults |
|---|---|---|
-p or --port | Port to use. Use -p 0 to look for an open port, starting at 8080. It will also read from process.env.PORT. | 8080 |
-a | Address to use | 0.0.0.0 |
-d | Show directory listings | true |
-i | Display autoIndex | true |
-g or --gzip | When enabled it will serve ./public/some-file.js.gz in place of ./public/some-file.js when a gzipped version of the file exists and the request accepts gzip encoding. If brotli is also enabled, it will try to serve brotli first. | false |
-b or --brotli | When enabled it will serve ./public/some-file.js.br in place of ./public/some-file.js when a brotli compressed version of the file exists and the request accepts br encoding. If gzip is also enabled, it will try to serve brotli first. | false |
-e or --ext | Default file extension if none supplied | html |
-s or --silent | Suppress log messages from output | |
--cors | Enable CORS via the Access-Control-Allow-Origin header | |
-o [path] | Open browser window after starting the server. Optionally provide a URL path to open. e.g.: -o /other/dir/ | |
-c | Set cache time (in seconds) for cache-control max-age header, e.g. -c10 for 10 seconds. To disable caching, use -c-1. | 3600 |
-U or --utc | Use UTC time format in log messages. | |
--log-ip | Enable logging of the client's IP address | false |
-P or --proxy | Proxies all requests which can't be resolved locally to the given url. e.g.: -P http://someurl.com | |
--proxy-options | Pass proxy options using nested dotted objects. e.g.: --proxy-options.secure false | |
--username | Username for basic authentication | |
--password | Password for basic authentication | |
-S, --tls or --ssl | Enable secure request serving with TLS/SSL (HTTPS) | false |
-C or --cert | Path to ssl cert file | cert.pem |
-K or --key | Path to ssl key file | key.pem |
-r or --robots | Automatically provide a /robots.txt (The content of which defaults to User-agent: *\nDisallow: /) | false |
--no-dotfiles | Do not show dotfiles | |
--mimetypes | Path to a .types file for custom mimetype definition | |
-h or --help | Print this list and exit. | |
-v or --version | Print the version and exit. |
Magic Files
index.htmlwill be served as the default file to any directory requests.404.htmlwill be served if a file is not found. This can be used for Single-Page App (SPA) hosting to serve the entry page.
Catch-all redirect
To implement a catch-all redirect, use the index page itself as the proxy with:
http-server --proxy http://localhost:8080?
Note the ? at the end of the proxy URL. Thanks to @houston3 for this clever hack!
TLS/SSL
First, you need to make sure that openssl is installed correctly, and you have key.pem and cert.pem files. You can generate them using this command:
1openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem
You will be prompted with a few questions after entering the command. Use 127.0.0.1 as value for Common name if you want to be able to install the certificate in your OS's root certificate store or browser so that it is trusted.
This generates a cert-key pair and it will be valid for 3650 days (about 10 years).
Then you need to run the server with -S for enabling SSL and -C for your certificate file.
1http-server -S -C cert.pem
If you wish to use a passphrase with your private key you can include one in the openssl command via the -passout parameter (using password of foobar)
e.g.
openssl req -newkey rsa:2048 -passout pass:foobar -keyout key.pem -x509 -days 365 -out cert.pem
For security reasons, the passphrase will only be read from the NODE_HTTP_SERVER_SSL_PASSPHRASE environment variable.
This is what should be output if successful:
1Starting up http-server, serving ./ through https 2 3http-server settings: 4CORS: disabled 5Cache: 3600 seconds 6Connection Timeout: 120 seconds 7Directory Listings: visible 8AutoIndex: visible 9Serve GZIP Files: false 10Serve Brotli Files: false 11Default File Extension: none 12 13Available on: 14 https://127.0.0.1:8080 15 https://192.168.1.101:8080 16 https://192.168.1.104:8080 17Hit CTRL-C to stop the server
Development
Checkout this repository locally, then:
1$ npm i 2$ npm start
Now you can visit http://localhost:8080 to view your server
You should see the turtle image in the screenshot above hosted at that URL. See
the ./public folder for demo content.
No vulnerabilities found.
Reason
no dangerous workflow patterns detected
Reason
security policy file detected
Details
- Info: security policy file detected: SECURITY.md:1
- Info: Found linked content: SECURITY.md:1
- Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1
- Info: Found text in security policy: SECURITY.md:1
Reason
no binaries found in the repo
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Info: FSF or OSI recognized license: MIT License: LICENSE:0
Reason
Found 10/18 approved changesets -- score normalized to 5
Reason
0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Warn: jobLevel 'contents' permission set to 'write': .github/workflows/release-drafter.yml:12
- Info: jobLevel 'pull-requests' permission set to 'read': .github/workflows/release-drafter.yml:13
- Warn: no topLevel permission defined: .github/workflows/node.js.yml:1
- Warn: no topLevel permission defined: .github/workflows/release-drafter.yml:1
- Warn: no topLevel permission defined: .github/workflows/stale.yml:1
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
dependency not pinned by hash detected -- score normalized to 0
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/node.js.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/http-party/http-server/node.js.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/node.js.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/http-party/http-server/node.js.yml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release-drafter.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/http-party/http-server/release-drafter.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/stale.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/http-party/http-server/stale.yml/master?enable=pin
- Warn: containerImage not pinned by hash: Dockerfile:1: pin your Docker image by updating node:16-alpine to node:16-alpine@sha256:a1f9d027912b58a7c75be7716c97cfbc6d3099f3a97ed84aa490be9dee20e787
- Warn: npmCommand not pinned by hash: Dockerfile:5
- Info: 0 out of 3 GitHub-owned GitHubAction dependencies pinned
- Info: 0 out of 1 third-party GitHubAction dependencies pinned
- Info: 0 out of 1 containerImage dependencies pinned
- Info: 0 out of 1 npmCommand dependencies pinned
Reason
branch protection not enabled on development/release branches
Details
- Warn: branch protection not enabled for branch 'master'
- Warn: branch protection not enabled for branch 'v13'
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
- Warn: 0 commits out of 24 are checked with a SAST tool
Reason
10 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-v88g-cgmw-v5xw
- Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw
- Warn: Project is vulnerable to: GHSA-pxg6-pf52-xh8x
- Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275
- Warn: Project is vulnerable to: GHSA-4xcv-9jjx-gfj3
- Warn: Project is vulnerable to: GHSA-rhx6-c78j-4q9w
- Warn: Project is vulnerable to: GHSA-x7hr-w5r2-h6wg
- Warn: Project is vulnerable to: GHSA-p8p7-x288-28g6
- Warn: Project is vulnerable to: GHSA-72xf-g2v4-qvf3
- Warn: Project is vulnerable to: GHSA-p9pc-299p-vxgp
Score
3.6
/10
Last Scanned on 2025-07-07
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More