What is WebDAV: protocol, real uses and alternatives

If you've been seeing the word WebDAV for a while and you still don't quite understand what the heck it is...Don't worry, you're not alone. Many people confuse it with a service like Dropbox or Google Drive, when in reality it's something else entirely: a protocol that many storage services, private clouds, and servers use to allow you to manage files remotely as if they were on your own computer.

The key idea behind WebDAV is that you can open, edit, move, and delete files on a remote server just as you would in a local folder.It doesn't matter if you're at home, in the office, or connected to a NAS on the other side of the world: if the server and your device support WebDAV, you'll see those files as a network drive or another directory in your operating system.

What exactly is WebDAV?

WebDAV stands for Web-based Distributed Authoring and Versioningwhich we could translate as “distributed web versioning and control”. It is a HTTP protocol extension Developed within the IETF (the organization that standardizes many Internet protocols) so that the web is not only for reading, but also for editing.

Instead of simply displaying web pages like normal HTTP doesWebDAV adds file management functions: directory creation, copying, moving, locking files, modifying properties, etc. All of this is done using new HTTP methods and additional headers. XML for describing metadata and structures.

Tim Berners-Lee's initial vision for the web included being able to edit content directly from the browserThe first WorldWideWeb browser allowed users to both read and modify remote pages, but the real web evolved into a virtually read-only environment. WebDAV was created precisely to try to recover that distributed editing capability over HTTP.

Formal work on WebDAV was channeled into an IETF working groupOver time, it has published several RFCs (standard documents) that define the protocol and its extensions: functional requirements, base protocol, ordered collections, access control, improvements to the MKCOL method, etc. Among the most important are RFC 2518 (now obsolete) and 4918, which define the core of the protocol.

How WebDAV works at the protocol level

WebDAV literally mounts over HTTP or HTTPSIn other words, the same port 80 or 443 and the same connections are still used as for web browsing, but with the addition of specific methods. This has a very practical consequence: It usually passes through firewalls, NAT and proxies without problemsbecause in the eyes of the network it is "simple web traffic" (even though it does much more).

The protocol introduces a number of new methods over HTTP, which allow manipulation of so-called resources (files or directories identified by a URL or URI):

• PROPFIND: retrieves the properties of a resource (in XML) and can also list the collection structure, i.e., the remote “directory hierarchy”.
• PROPPATCH: changes or deletes multiple properties of a resource in a single atomic operation.
• MKCOL: creates new collections, which in practice is equivalent to creating directories or folders.
• COPY: copies a resource from one URL to another within the same server or to another compatible server.
• MOVE: moves or renames a resource, changing its location or path.
• LOCK: blocks a resource to prevent simultaneous uncontrolled modifications; there can be shared or exclusive locks.
• UNLOCK: removes a previously established lock on a resource.
• SEARCHIn some extensions, it allows you to perform searches on the resources of the WebDAV server.

All these methods work on “resources” identified by a URIFrom the end user's point of view, these resources are usually presented as files and folders that you see in your file explorer, but at the network level they are still URLs served by HTTP/HTTPS.

The use of XML is a distinctive feature of WebDAVIt is used to represent properties, directory structures, search results, and other metadata. This makes the protocol quite flexible, although it also introduces some overhead in terms of header size and processing.

What does WebDAV allow you to do in practice?

From the user's point of view, WebDAV is used to handle files on a remote server as if they were local.In systems like Windows, macOS, or Linux, a WebDAV resource can be mounted as a network drive or mounting pointso that any program can open and save documents on it without knowing that it is working against the Internet.

Typical operations enabled by WebDAV include:

• Copy and move files within the server without needing to download them to the user's computer first.
• Create, rename, and delete directories (collections) directly on the remote server.
• Modify file properties and other resources, such as additional metadata that the server or application uses.
• Set up locks so that many users can read a highly populated file, but only one can edit it at any given time.
• Search content in large directory structures, relying on the capabilities of PROPFIND and search extensions.

For the administrator, enabling a WebDAV directory turns a web server into a collaborative publishing environment.Simply define the folders to be exposed, assign permissions to users or groups (read only, read/write, etc.) and, if desired, add extra layers of security such as basic authentication, digest authentication or controlled anonymous access.

One interesting feature is that WebDAV can work encrypted using HTTPSIf an SSL/TLS certificate is configured on the server, all communication (including credentials and data) travels protected, usually with robust encryption such as 256-bit AES, depending on the server configuration.

Advantages and disadvantages of WebDAV

Because it is HTTP-based, WebDAV uses well-known standard ports (80 for HTTP and 443 for HTTPS). This greatly facilitates its use across networks with strict security policies, because these ports are rarely blocked without a very specific reason.

Another powerful advantage is its broad compatibility with web servers and operating systems.Servers such as Apache, Nginx, lighttpd, Microsoft IIS, SabreDAV (in PHP), or cloud solutions such as ownCloud and Nextcloud offer native WebDAV support or support through modules and plugins.

At the administration level, WebDAV greatly simplifies the configuration of remote access.Unlike other sharing protocols (FTP, some SMB modes, etc.), it does not usually require opening unusual ports or configuring complex passive port ranges, which reduces the risk of errors and firewall gaps.

However, not everything is perfectOne of the weaknesses of WebDAV is that It only shows the current version of the documentAdvanced version control (history, revision comments, etc.) is not part of the base protocol, so it is necessary to rely on external applications or collaboration solutions that implement it on their own.

There are also some practical disadvantages:

• Complexity of installation and fine-tuningFor a user with no basic knowledge of web servers, correctly configuring WebDAV can be somewhat complicated.
• Security risks if configured incorrectlyExposing a WebDAV to the Internet without HTTPS or adequate access controls can open the door to data theft, malicious file uploads, or even code execution.
• Limited performance in scenarios with many files or slow links: with large volumes of data or networks with high latency, other protocols may perform better.
• Certain compatibility issues with specific applicationsAlthough the operating system supports WebDAV, not all programs work equally well with drives mounted using this protocol.

Performance and factors influencing WebDAV

WebDAV performance depends heavily on the quality of the connection and how it is implemented on the server and client.When using HTTP, you are greatly affected by network latency: the longer the server takes to respond, the worse the feeling of smoothness when opening and saving files.

As a rough guide, 1-5 Mbps of bandwidth is usually sufficient for comfortably editing documents.For multimedia or large data transfers, latency in the 10-25 Mbps range or higher is recommended. Latency below 50 ms generally provides a reasonably smooth experience.

The protocol design itself introduces some overhead.This is especially true with small files, because each operation involves additional HTTP headers and XML structures. In contrast, sending one large file at a time is usually more efficient than handling thousands of tiny files.

The specific implementation of the WebDAV server and client also makes a difference.Not all Apache, Nginx, IIS modules or the different client libraries are equally optimized, and this is noticeable in the speed of listing, copying or synchronization.

If HTTPS is used, SSL/TLS encryption adds extra CPU overhead.In current hardware, this cost is usually minimal, but in devices with few resources (older NAS devices, routers with storage functions, etc.) it can have a visible impact.

Robustness and fault tolerance

Although WebDAV is not in itself a high availability systemMany deployments are integrated into infrastructures with redundancy, replication, and backups, which is transferred to access via WebDAV.

In well-designed environments, data can be stored on multiple servers or locations.so that if one fails, applications continue to see the available WebDAV resources through load balancing or failover mechanisms that operate behind the scenes.

Using detailed HTTP status codes helps detect problems and handle them better.When an operation fails (due to permissions, disk space, active lock, etc.), the server responds with a clear code that the client can interpret to inform the user.

Many implementations include version control and recovery features.so that if an error occurs or a document is accidentally overwritten, it is possible to revert to a previous stable version, although this depends on the specific application that uses WebDAV as a transport.

WebDAV compatibility with operating systems

One of WebDAV's great strengths is that it is natively supported by the three major desktop operating systems.Windows (from XP onwards), macOS, and most Linux distributions. This means that in many cases you don't need to install anything extra to start using it.

In Windows, the WebDAV client is integrated into File Explorer. through the WebClient service. You can “add a network location” or “attach drive” by pointing to a WebDAV URL, and you will see the remote resource as if it were just another disk in the system.

On macOS, the Finder allows you to connect to WebDAV servers from the "Go > Connect to Server..." menu.by entering the corresponding address. Once authenticated, the volume is mounted and appears both on the desktop and in the shared resources section.

In Linux desktop environments, file managers such as Nautilus (Files), Nemo, Dolphin, Thunar, or PCManFM support WebDAV.Usually, it's enough to use URLs like this. davs://server o webdav://server/path so that they can be mounted as remote file systems.

For more advanced uses in Linux, you can use the davfs2 file system., which allows mounting a WebDAV resource via fstab as if it were any other remote system, so that it is integrated into the boot process and becomes available in a specific user directory.

Examples of servers and services that use WebDAV

Many popular web servers incorporate WebDAV modules. or they can add them:

• Microsoft IIS: includes its own WebDAV module, widely used in corporate Windows environments.
• Apache HTTP ServerIt has several modules (such as mod_dav, mod_dav_fs) and linked tools such as davfs2 or Subversion, which take advantage of WebDAV for certain operations.
• NginxIt can be integrated with PHP or third-party solutions such as SabreDAV to offer WebDAV capabilities.
• SabreDAV: PHP framework that adds WebDAV support to Apache or Nginx servers.
• Nextcloud and ownCloudPrivate cloud platforms that expose their data via WebDAV, allowing them to be mounted as remote drives.

In the world of NAS (network-attached storage), manufacturers like QNAP or Synology also offer WebDAV support. by default through specific applications or modules, which allow shared folders to be exposed to the Internet or the local network without resorting to SMB or FTP.

Even some commercial cloud storage services, such as pCloud, offer access via WebDAVIn the case of pCloud, for example, a specific URL is used (such as https://ewebdav.pcloud.com (for the European data center), along with the account email and password, to mount the storage as if it were just another shared folder, even from a NAS.

Configuring WebDAV on NAS devices such as QNAP and Synology

On a QNAP NAS, enabling WebDAV usually comes down to a few steps in the control panelNormally, you access the application servers section and, within the web server, activate the WebDAV service, which is disabled by default.

Once the service is turned on, the HTTP and HTTPS ports to use are selected. (you can leave the defaults or assign other specific ones for WebDAV) and decide whether to inherit the permissions of the shared folders or define your own permissions for access via WebDAV.

If you choose specific permissions, you need to go to the shared folders section of the NAS.Edit each one and select the "WebDAV Access" permission type, assigning read/write rights to the users or groups you want. From there, those resources will be ready to be mounted from compatible clients.

In Synology, the process involves installing the “WebDAV Server” package from the Package CenterOnce opened, check the boxes to enable HTTP and HTTPS (the latter is recommended) and configure the ports. In the advanced options, you can enable anonymous access under certain conditions, manage the access depth (DavDepthInfinity), and enable detailed WebDAV event logging.

In both cases (QNAP and Synology), the usual practice is to combine WebDAV over HTTPS with good permissions policies and, if exposed to the Internet, to rely on a VPN or a reverse proxy with additional authentication. to reduce the attack surface.

Connecting to WebDAV from Windows, macOS, and Linux

In Windows 10 and 11, the WebDAV client is based on the WebClient service.First of all, it's advisable to review certain parameters in the registry, such as BasicAuthLevelwhich controls when basic authentication is allowed (only over SSL, over SSL and not SSL, or disabled).

To add a WebDAV network location in Windows This is usually done from "This PC": right-click on an empty area, "Add a network location", choose a custom location and specify the server URL (with HTTP or HTTPS, the latter being recommended as long as the server has a valid certificate).

During the wizard, the user credentials are entered and a name is assigned to the connection.From there, the network location will appear in Explorer and you can drag, open and save files as if it were a normal shared folder.

On macOS, the procedure is even more straightforwardOpen the Finder, go to the "Go > Connect to Server…" menu, enter the WebDAV URL, and after entering your username and password, the drive appears mounted on the desktop and in the sidebar as a shared resource.

In Ubuntu and other GNOME-based distributions, you can use the "Connect to server..." option from the places menu.Select the WebDAV service type (HTTP or HTTPS), enter the URL, username (often in email format), and password. The file manager will then mount the WebDAV folder and allow you to manage the files easily.

For console environments, tools like Cadaver function as a "terminal WebDAV client"It connects to a remote URL, asks for a username and password, and offers shell-like commands (ls, get, put, mv, etc.) to manage resources, similar to how smbclient does with SMB shares.

Using WebDAV with specialized tools (rclone, davfs2, etc.)

In addition to the clients integrated into the system, there are specific tools that take great advantage of WebDAV.. One of the best known is clone, which acts as a “Swiss Army knife” for synchronizing and serving remote file systems.

With rclone you can expose a storage backend as a WebDAV server using commands of the style rclone serve webdav remote:path, adjusting parameters such as port, TLS certificates, authentication with htpasswd file (usually with passwords encrypted with BCrypt), cache size and policy, etc.

In Linux, davfs2 allows you to mount WebDAV resources as normal file systems. through /etc/fstab or mount/umount commands, saving credentials in secure configuration files (~/.davfs2/secrets) and allowing drives to be mounted automatically upon login.

These tools are especially useful for integrating services like Nextcloud, ownCloud, pCloud, or even rclone backends into backup scripts, scheduled synchronizations or permanent mounts that behave like local disks even though they are actually using WebDAV.

Security risks and attacks on WebDAV

Precisely because it is so convenient and easily bypasses firewalls, WebDAV is an interesting target for attackers. When exposed to the internet without adequate protection, extending HTTP to allow file uploads and editing means that, if misconfigured, it can end up giving anyone the ability to upload dangerous files to the server.

A typical phase of attack against a WebDAV server is enumeration.That is, to find out what resources are exposed, what file extensions are allowed, what methods are enabled, and what security settings have been applied (or not).

Tools like Davtest are widely used in audits and penetration testing.Essentially, Davtest uploads a large number of files with different extensions to see which ones are accepted and, eventually, executed by the server, which helps to detect vectors for remote code execution.

Cadaver, in addition to serving as a legitimate client, is also used in offensive testing. to navigate the resource tree, upload malicious "webshells" or files where the configuration allows, and check the robustness of the authorization and authentication.

To minimize these risks, it is essential to apply good practices.: limit which routes are exposed via WebDAV, disable unnecessary methods, filter dangerous extensions, use HTTPS with current certificates, enforce strong passwords and renew them frequently, restrict access to trusted networks or via VPN, and monitor logs for anomalous behavior.

WebDAV's relationship with cloud storage

WebDAV is not "another Dropbox", but a protocol that many storage services use under the hood. to give you remote access to your files from different devices. The difference is that, instead of always depending on each brand's official client, you can use WebDAV to integrate that data with your operating system in a standard way.

If you're looking to access your documents from home and from workWebDAV can be a key piece: you can set up your server (or your company's, or a NAS, or a compatible cloud service) as a drive on both computers and work with the same files without having to copy things to USB or send them by email.

In private clouds like Nextcloud or ownCloud, WebDAV is the primary mechanism for exposing files to external clients.Desktop clients typically use it internally, but you can also mount it directly on the operating system or on a NAS to, for example, make automatic backups from your local folders to the cloud.

Services like pCloud, integrated via WebDAV into a QNAP, Synology, or similar NAS, allow you to treat the cloud as just another shared folder.From there you can launch backups of large volumes of data, scheduled scripts, or simply use it as an "external hard drive" accessible from anywhere.

In that sense, WebDAV is more of an alternative or technical complement to protocols such as SMB, FTP, or SFTPRather than a direct competitor to any specific "cloud" brand, it provides the standard mechanism; the "storage service" can be at your home, your business, or a remote provider.

Alternatives to WebDAV for file sharing

Depending on the scenario, you might be interested in using other protocols instead of WebDAV.Each one has its pros and cons, so it's worth keeping them on your radar.

SMB/CIFS (the classic “Microsoft Networking”) is the king of local area networks in Windows environmentsIn its modern versions (such as SMB 3.0) it offers strong authentication and data encryption with AES, making it a very secure option within a LAN.

However, SMB is not designed to be directly exposed to the Internet.Opening your ports outwards poses a very serious risk to privacy and security, so if remote access is needed, it is usually encapsulated within a VPN rather than opening it directly.

FTP is another classic method for transferring files both on local networks and over the InternetIt allows you to upload and download files easily, but traditional FTP does not encrypt either the authentication or the data, making it very insecure on untrusted networks.

To add security to FTP, there are variations such as FTPS or FTPES.which encapsulate connections in SSL/TLS and allow the use of strong ciphers such as AES-128-GCM, mitigating the problems of plain FTP.

SFTP, on the other hand, is based on the SSH protocol and does encrypt both credentials and data from beginning to end.It is one of the most recommended options when the absolute priority is security in remote environments, although its semantics and use are more similar to SSH than to HTTP.

There are also solutions and protocols geared towards synchronization and content management, such as:

• Rsync: tool focused on synchronizing directories, very efficient for incremental backups.
• AtomPubHTTP protocol for creating and updating web resources, used in some CMSs.
• CMIS (Content Management Interoperability Services): open standard so that different document management systems can exchange information.
• syncthingPeer-to-peer, decentralized and secure synchronization between devices, highly oriented towards real-time work without going through a classic central server.

The choice between WebDAV and these alternatives depends on the specific case.: type of network (local or Internet), security needs, ease of configuration, collaboration requirements, file size and tools available in your environment.

In the end, WebDAV has remained a very versatile tool for accessing remote files using HTTP/HTTPSThis is especially useful when you want to treat a server, NAS, or private cloud as if it were a local folder accessible from any modern operating system, combining considerable convenience with reasonable security options if configured properly.