Note: Please stop using TinyHTTPD. It may have been a nice thing back when it was written, but there are just too many problems to use this in any production environment. Please take the following as reference, perhaps for understanding HTTP, but when you need a lightweight HTTP server for actual use, try Boa. This is better suited even for the purpose for which TinyHTTPD was originally intended. For a better web server in perl, look at Plexus or HTTPi.

TinyHTTPD - minimum HTTP server in perl

Recently I needed a test-bed for scripts that generate HTML, and file access didn't suffice. As usually, the first attempt at awk-ing the request from a socket(1) executed script soon grew big and ugly with ever more special cases being added. As the need to support ISINDEX and FORMs came up, I re-wrote the whole thing in perl. Now the simple test aid has become a program that can be used in similar situations when you need an HTTP server quickly without worrying to install a CERN or NCSA server.

This one does not have all the features needed; in particular, it knows only about text, HTML and GIF files and the support for CGI scripts is limited (just enough to check if they work and produce correct output). It supports only HTTP 1.0 and only GET and POST requests.

Configuring and Using

The script starts with a configuration section in which you specify the port to listen on, the directories for HTML files and CGI programs and the access control list (see below). Simply run the script under perl (works with version 4.0). It generates a log file httpd.log that records every access with time, PID and URL. I have replaced the usually needed require 'sys/' with a few macro definitions, check if these are correct on your system.

Security considerations

I wrote this as an aid for controlled short-term testing purposes, not to support a publicly available WWW server. So the security features such a server would need are missing. Potentially, this script can read/execute every file that is readable/executable by its UID. (It blocks .. in URLs but nothing else.) The program intentionally refuses to run as root or set-uid. Achieving proper security is hard and this is too simple and hacked-up to be fireproof. I strongly recommend against using it in a production environment - get the NCSA or CERN httpd instead. The simplest security measures are built in, however. You can (have to) define access control lists; keep them as restricted as necessary. The ACL consists of pairs of regexps against which hostname (including aliases) and URL are matched. If the URL is prefixed with a !, this means "deny". At least one allowed pattern pair must match, no denied pattern may match to get access.


The current version is numbered 1.4 and about 5.5 kbytes in size. It was posted on alt.sources on August 15, 1994.

I place this in the public domain. I explicitly disclaim any express or imlied warranty and responsibility for any consequences of the use of this program. Use strictly at your own risk. If you find a bug, mail me.

Software referenced in this document can be found here:
1997-01-05 Olaf Titz, G212