Self-hosted media downloader and converter β download videos from YouTube, Vimeo, and 1000+ other sites. Built for security, clean deployment, and easy self-hosting.
- π₯ Download video and audio from YouTube and 1000+ sites (via yt-dlp)
- π¬ Convert uploaded video files with FFmpeg (mp4, mkv, webm, mp3, m4a, and more)
- π Library β tag downloads into a personal video library with a built-in player
- π€ Multi-user β admin panel, user management, role-based access control
- π Secure by default β JWT auth, HttpOnly cookies, strict security headers, rate limiting
- π³ Docker-first β one command to deploy
| Login | Dashboard |
|---|---|
 |
 |
| Video Fetcher | My Library |
|---|---|
 |
 |
| Layer | Technology |
|---|---|
| Backend | FastAPI (Python 3.11) |
| Auth | JWT (python-jose) + PBKDF2-SHA256 |
| Database | SQLite |
| Downloader | yt-dlp |
| Converter | FFmpeg |
| Frontend | Vanilla JS + Jinja2 HTML |
| Deployment | Docker + Docker Compose |
βββββββββββββββββββββββββββββββββββββββ
β Browser Client β
β (Vanilla JS, WebSocket for progress)β
ββββββββββββββββββ¬βββββββββββββββββββββ
β HTTPS
ββββββββββββββββββΌβββββββββββββββββββββ
β FastAPI Application β
β ββββββββββββ ββββββββββββββββββββββ
β β Auth/JWT β β Download Manager ββ
β ββββββββββββ β (yt-dlp worker) ββ
β ββββββββββββ ββββββββββββββββββββββ
β β Settings β ββββββββββββββββββββββ
β ββββββββββββ β Convert Manager ββ
β β (FFmpeg worker) ββ
β ββββββββββββ ββββββββββββββββββββββ
β β SQLite β β
β β (data/) β β
β ββββββββββββ β
βββββββββββββββββββββββββββββββββββββββ
Data is persisted in Docker volumes and never stored in the container image.
- Docker and Docker Compose v2+
- A machine with internet access
# 1. Clone the repository
git clone https://github.com/your-username/grabster.git
cd grabster
# 2. Configure environment
cp .env.example .envEdit .env and set a strong SECRET_KEY:
# Generate a secure key:
openssl rand -hex 32# 3. Start GrabSter
docker compose up -d
# Then open: http://localhost:8001On first launch, register a new account. The first registered user is automatically made an Admin. If you need to manually promote another user to admin via the command line, run:
docker exec -it grabster sqlite3 /app/data/app.db "UPDATE users SET role = 'admin' WHERE username = 'YOUR_USERNAME';"All configuration is done via environment variables in your .env file.
| Variable | Required | Default | Description |
|---|---|---|---|
SECRET_KEY |
β Yes | β | JWT signing secret. Generate with openssl rand -hex 32. |
PORT |
No | 8000 |
Host port to bind. |
DEBUG |
No | false |
Enables /docs, /redoc, verbose logging. Off in prod. |
DB_PATH |
No | data/app.db |
Path to SQLite database file. |
DOWNLOAD_DIR |
No | downloads |
Note: Managed internally via Settings UI (DB). |
CONVERT_DIR |
No | converted |
Directory for FFmpeg output files. |
COOKIE_SECURE |
No | false |
Set to true if hosting behind an HTTPS TLS reverse proxy. |
cp .env.example .env
# Set DEBUG=true, COOKIE_SECURE=false, SECRET_KEY=any-dev-string
docker compose -f docker-compose.yml -f docker-compose.dev.yml up --build
# App runs on http://localhost:8001 with live reloadSee CONTRIBUTING.md for full local setup instructions.
GrabSter is designed and hardened for self-hosted deployments:
- π JWT tokens signed with a user-provided secret key (required, no defaults)
- π HttpOnly + SameSite cookies β tokens are not accessible via JavaScript
- π‘οΈ Security headers on every response (CSP, HSTS, X-Frame-Options, X-Content-Type-Options)
- π¦ Rate limiting β 5 login attempts per IP per minute
- π« Debug endpoints disabled in production (no
/docs,/openapi.json) - π€ Non-root Docker container user (uid 1000)
- ποΈ Input validation with allowlists for file conversion formats
Recommendation: Place GrabSter behind a reverse proxy (e.g., nginx or Caddy) with TLS. Do not expose it directly to the public internet without additional authentication.
All user data lives in Docker volumes, not in the image. On a docker compose down, your data is preserved. To fully reset, remove the local directories:
data/ β SQLite database
downloads/ β Downloaded media
converted/ β Converted output files
uploads/ β Temporary upload staging (auto-cleared)
MIT License β free to use, modify, and self-host.
See SECURITY.md. Please do not open public GitHub issues for security vulnerabilities.