diff --git a/.vscode/launch.json b/.vscode/launch.json
index f31f411a..f4104c1f 100644
--- a/.vscode/launch.json
+++ b/.vscode/launch.json
@@ -13,7 +13,7 @@
                 "0",
                 "-nc",
                 "4",
-                "-nw",
+                //"-nw",
                 "-a",
                 "ed:wark",
                 "-v",
diff --git a/.vscode/settings.json b/.vscode/settings.json
index 218a405c..ff8651c0 100644
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -43,7 +43,7 @@
     "editor.formatOnSave": true,
     "[html]": {
         "editor.formatOnSave": false,
-    }
+    },
     //
     //  things you may wanna edit:
     //
diff --git a/README.md b/README.md
index f33cf049..12c0dd9c 100644
--- a/README.md
+++ b/README.md
@@ -68,4 +68,5 @@ pip install black bandit pylint flake8  # vscode tooling
 
 roughly sorted by priority
 
+* last-modified header
 * support pillow-simd
diff --git a/copyparty/httpcli.py b/copyparty/httpcli.py
index cc1a2404..5c47a866 100644
--- a/copyparty/httpcli.py
+++ b/copyparty/httpcli.py
@@ -16,7 +16,7 @@ if not PY2:
     unicode = str
     from urllib.parse import unquote_plus
 else:
-    from urllib import unquote_plus
+    from urllib import unquote_plus  # pylint: disable=no-name-in-module
 
 
 class HttpCli(object):
@@ -77,8 +77,8 @@ class HttpCli(object):
             self.log(self.rvol)
             self.log(self.wvol)
 
-        # split req into vpath + args
-        args = {}
+        # split req into vpath + uparam
+        uparam = {}
         if "?" not in self.req:
             if not self.req.endswith("/"):
                 self.absolute_urls = True
@@ -93,11 +93,11 @@ class HttpCli(object):
             for k in arglist.split("&"):
                 if "=" in k:
                     k, v = k.split("=", 1)
-                    args[k.lower()] = v.strip()
+                    uparam[k.lower()] = v.strip()
                 else:
-                    args[k.lower()] = True
+                    uparam[k.lower()] = True
 
-        self.args = args
+        self.uparam = uparam
         self.vpath = unquote_plus(vpath)
 
         try:
@@ -148,7 +148,7 @@ class HttpCli(object):
                 return self.tx_file(static_path)
 
         # conditional redirect to single volumes
-        if self.vpath == "" and not self.args:
+        if self.vpath == "" and not self.uparam:
             nread = len(self.rvol)
             nwrite = len(self.wvol)
             if nread + nwrite == 1:
@@ -160,16 +160,18 @@ class HttpCli(object):
                 self.absolute_urls = True
 
         # go home if verboten
-        readable, writable = self.conn.auth.vfs.can_access(self.vpath, self.uname)
-        if not readable and not writable:
+        self.readable, self.writable = self.conn.auth.vfs.can_access(
+            self.vpath, self.uname
+        )
+        if not self.readable and not self.writable:
             self.log("inaccessible: {}".format(self.vpath))
-            self.args = {"h": True}
+            self.uparam = {"h": True}
 
-        if "h" in self.args:
+        if "h" in self.uparam:
             self.vpath = None
             return self.tx_mounts()
 
-        if readable:
+        if self.readable:
             return self.tx_browser()
         else:
             return self.tx_upper()
@@ -210,7 +212,8 @@ class HttpCli(object):
             pwd = u"x"  # nosec
 
         h = ["Set-Cookie: cppwd={}; Path=/".format(pwd)]
-        html = u'<h1>{}<h2><a href="/">ack'.format(msg)
+        html = u'<h1>{}</h1><h2><a href="/">ack</a></h2>'.format(msg)
+        html += '<script>setTimeout(function(){window.location.replace("/");},500);</script>'
         self.reply(html.encode("utf-8"), headers=h)
 
     def handle_plain_upload(self):
@@ -299,7 +302,7 @@ class HttpCli(object):
 
     def tx_upper(self):
         # return html for basic uploader;
-        # js rewrites to up2k unless args['b']
+        # js rewrites to up2k unless uparam['b']
         self.loud_reply("TODO jupper {}".format(self.vpath))
 
     def tx_browser(self):
@@ -345,5 +348,7 @@ class HttpCli(object):
                 files.append(item)
 
         dirs.extend(files)
-        html = self.conn.tpl_browser.render(vpnodes=vpnodes, files=dirs)
+        html = self.conn.tpl_browser.render(
+            vpnodes=vpnodes, files=dirs, can_upload=self.writable
+        )
         self.reply(html.encode("utf-8"))
diff --git a/copyparty/web/browser.css b/copyparty/web/browser.css
index b6a38242..407cf270 100644
--- a/copyparty/web/browser.css
+++ b/copyparty/web/browser.css
@@ -249,3 +249,14 @@ a.play.act {
 	width: calc(100% - 10.5em);
 	background: rgba(0,0,0,0.2);
 }
+#bup {
+	padding: .5em .5em .5em .3em;
+	margin-bottom: 1em;
+	background: #2d2d2d;
+	border-radius: 0 .5em .5em 0;
+	border-right: .3em solid #3a3a3a;
+	max-width: 40em;
+}
+#bup input {
+	margin: .5em;
+}
diff --git a/copyparty/web/browser.html b/copyparty/web/browser.html
index 3ca4356c..a8687092 100644
--- a/copyparty/web/browser.html
+++ b/copyparty/web/browser.html
@@ -16,6 +16,17 @@
         {%- endfor %}
         <span>{{ vpnodes[-1][1] }}</span>
     </h1>
+
+    {%- if can_upload %}
+    <div id="bup">
+        <form method="post" enctype="multipart/form-data" accept-charset="utf-8">
+            <input type="hidden" name="act" value="bput" />
+            <input type="file" name="f" multiple><br />
+            <input type="submit" value="start upload">
+        </form>
+    </div>
+    {%- endif %}
+    
     <table id="files">
         <thead>
             <tr>
@@ -33,6 +44,9 @@
 
         </tbody>
     </table>
+    
+    <h2><a href="?h">control-panel</a></h2>
+
     <div id="widget">
         <div id="wtoggle">=</div>
         <div id="widgeti">
diff --git a/docs/design.txt b/docs/design.txt
index a1f74e34..b6492b8b 100644
--- a/docs/design.txt
+++ b/docs/design.txt
@@ -9,6 +9,12 @@ main
         httpsrv
           ...
 
+##
+## things which need the broker
+
+moving uploaded files into place
+creating a thumbnail
+
 ##
 ## thumbnails