Overview
Stalwart includes an HTTP service that is enabled by default. It supports JMAP access, WebDAV access, API management, ACME certificate issuance, autoconfig/autodiscover protocols, well-known resources, metrics collection, and OAuth authentication.
Settings
Stalwart includes a built-in HTTP server that handles JMAP and WebDAV requests. HTTP server behaviour is configured on the Http singleton (found in the WebUI under Settings › Network › HTTP › General, Settings › Network › HTTP › Security).
JMAP
4 items
WebDAV
2 items
Access Control
Stalwart provides a flexible access control mechanism for the HTTP server. Rules can restrict access by IP address, resource path, method name, listener identity, and other request attributes, so that sensitive services can be exposed only to the clients and listeners that require them.
Security
The HTTP server exposes two transport-security controls on the Http singleton (found in the WebUI under Settings › Network › HTTP › General, Settings › Network › HTTP › Security): HTTP Strict Transport Security (HSTS) and a permissive CORS policy. These controls enforce secure communication practices and determine how cross-origin requests are handled.
Rate limiting
Rate limiting restricts how often a client can repeat an action within a given time period. Applied to the HTTP server, it mitigates brute-force attacks and reduces overall load by capping the number of requests that any single source can issue in a short window.
Form Handling
Stalwart can accept HTTP form submissions on the /form endpoint and turn each submission into an email message delivered to one or more local recipients. The feature is typically used for web forms such as contact or feedback forms, where submissions need to be forwarded to a designated group of local recipients on the mail server.