WebDAV File Transfer — Xferity Secure MFT
WebDAV
Section titled “WebDAV”Xferity supports WebDAV (Web Distributed Authoring and Versioning) as a transfer endpoint for upload and download flows. WebDAV is an extension to HTTP defined in RFC 4918 that adds file management verbs to the web.
Supported servers include Nextcloud, ownCloud, SharePoint (on-premises DAV endpoints), Box WebDAV, Apache with mod_dav, Caddy DAV module, nginx with dav_module, Seafile, and any other RFC 4918-compliant server.
What WebDAV is in Xferity
Section titled “What WebDAV is in Xferity”WebDAV is an HTTP-based file transfer transport. Unlike SFTP or FTPS, it uses HTTP verbs (GET, PUT, DELETE, PROPFIND, MKCOL) over a standard TLS connection.
This makes it well-suited for:
- file exchange with partners using Nextcloud or ownCloud
- delivering files to on-premises SharePoint document libraries
- integrating with Box accounts via their WebDAV API
- transferring files to/from self-hosted WebDAV servers in on-premises or air-gapped environments
- scenarios where only HTTP/HTTPS is allowed through firewalls
Trust model
Section titled “Trust model”WebDAV trust depends on:
- TLS certificate validation of the server’s HTTPS endpoint
- credentials that authorize access to the DAV collection
- network access to the WebDAV server URL
Authentication is via HTTP Basic Auth. The username and password are sent as a Basic authorization header on every request.
There is no built-in per-partner message signing model like AS2.
Partner configuration
Section titled “Partner configuration”Basic auth with username and password
Section titled “Basic auth with username and password”id: nextcloud-partnerdisplay_name: Nextcloud File Sharingprotocol: webdavwebdav: url: https://cloud.partner.example/remote.php/dav/files/mftuser username: mftuser password: env:NEXTCLOUD_PASSWORD timeout_seconds: 60 insecure_skip_verify: falseThe url field is the root URL of the WebDAV collection. For Nextcloud and ownCloud, this is typically https://<host>/remote.php/dav/files/<username>.
Without authentication (open DAV)
Section titled “Without authentication (open DAV)”id: internal-davprotocol: webdavwebdav: url: http://dav.internal.example/shared/transfers timeout_seconds: 30If username is omitted, no Authorization header is sent. Use for internal unauthenticated WebDAV servers.
With TLS skip (dev/test only)
Section titled “With TLS skip (dev/test only)”id: dev-webdavprotocol: webdavwebdav: url: https://dev-dav.internal:8443/dav username: testuser password: env:DEV_DAV_PASSWORD insecure_skip_verify: true timeout_seconds: 10insecure_skip_verify: true disables TLS certificate validation. This is not allowed in hardened mode.
Configuration fields
Section titled “Configuration fields”| Field | Required | Default | Description |
|---|---|---|---|
url | yes | — | Base URL of the WebDAV collection. No trailing slash. |
username | no | — | Basic-auth username. If omitted, no auth header is sent. |
password | no | — | Password or secret reference. |
insecure_skip_verify | no | false | Skip TLS cert verification. Rejected in hardened mode. |
timeout_seconds | no | 30 | Per-request HTTP timeout in seconds. |
Path resolution
Section titled “Path resolution”When a flow specifies a path on the target or source endpoint, it is appended to the partner url to form the effective WebDAV URL:
<partner.url>/<flow.path>/<filename>Example:
- Partner URL:
https://cloud.partner.example/remote.php/dav/files/mftuser - Flow path:
incoming/orders - File:
order_2026.xml - Effective URL:
https://cloud.partner.example/remote.php/dav/files/mftuser/incoming/orders/order_2026.xml
Flow example: WebDAV upload
Section titled “Flow example: WebDAV upload”flows: reports-to-nextcloud: direction: upload enabled: true target: partner: nextcloud-partner path: outbound/reports local: path: ./storage/reports/outgoing files: - pattern: "*.pdf" idempotency_mode: hash delete_after_upload: true schedule_cron: "0 0 17 * * 1-5"On upload, Xferity:
- Ensures the target collection exists (creates intermediate
MKCOLcollections if needed) - Streams the local file to the target URL via HTTP
PUT - Treats
201 Createdor200 OKor204 No Contentas success
Flow example: WebDAV download
Section titled “Flow example: WebDAV download”flows: orders-from-webdav: direction: download enabled: true source: partner: nextcloud-partner path: incoming/orders local: path: ./storage/orders/incoming files: - pattern: "*.xml" idempotency_mode: hash delete_remote_after_decrypt: false schedule_cron: "0 */10 * * * *"On download, Xferity:
- Issues a
PROPFINDrequest withDepth: 1to list the collection - Parses the WebDAV
multistatusXML response (resourcetype,getcontentlength,getlastmodified) - Filters blobs to those matching the configured file patterns
- Downloads each matching file via
GETto a local temp file - Decrypts and finalizes the file
MKCOL: automatic collection creation
Section titled “MKCOL: automatic collection creation”When uploading, if the target path contains subdirectories that do not exist on the server, Xferity creates them automatically using MKCOL HTTP requests. This means you do not need to manually pre-create directories on the WebDAV server.
MKCOL responses of 201 Created or 405 Method Not Allowed (collection already exists) are both treated as success.
Comparison with SFTP and S3
Section titled “Comparison with SFTP and S3”| Feature | WebDAV | SFTP | S3 |
|---|---|---|---|
| Protocol | HTTP(S) | SSH | HTTPS REST |
| Auth | Basic HTTP auth | SSH keys or passwords | IAM / access key |
| Listing | PROPFIND | readdir | ListObjectsV2 |
| Directory creation | MKCOL | mkdir | implicit (prefix) |
| Typical servers | Nextcloud, SharePoint, Box | OpenSSH, ProFTPD | AWS S3, MinIO |
| Firewall friendliness | ✅ HTTP/HTTPS | ❌ requires port 22 | ✅ HTTPS |
Use WebDAV when partners use HTTP-based sharing platforms and SFTP/S3 are not available.
Hardened mode behavior
Section titled “Hardened mode behavior”In hardened mode, WebDAV partners enforce:
passwordmust use a secret reference (env:,file:, orvault:) when setinsecure_skip_verify: trueis rejected
Plaintext passwords are rejected at partner config load time.
Common failures
Section titled “Common failures”| Symptom | Likely cause |
|---|---|
401 Unauthorized | Wrong credentials or server requires different auth scheme |
403 Forbidden | User has no write access to the target collection |
404 Not Found | Collection path does not exist and MKCOL was not attempted |
405 Method Not Allowed | Server does not support a required WebDAV verb |
207 Multi-Status with empty response | PROPFIND succeeded but collection is empty |
| TLS handshake failed | Server uses self-signed cert and insecure_skip_verify=false |
| Connection refused | Wrong URL, server down, or firewall blocking port 443/80 |
| Timeout | Server is slow; increase timeout_seconds |
Nextcloud-specific notes
Section titled “Nextcloud-specific notes”For Nextcloud:
- The DAV URL is
https://<host>/remote.php/dav/files/<username> - SharePoint URL format:
https://<tenant>.sharepoint.com/sites/<site>/_layouts/15/WopiFrame.aspx/file.aspx(use the/dav/endpoint instead of the SharePoint UI URL) - Make sure the Nextcloud user has shared or owns the folder you are reading from or writing to