Built-in HTTP server in Dune HD STB is based on "busybox".

The following information is an excerpt from "busybox/networking/httpd.c"
(NOTE, not all features listed below are supported by current Dune STB

   Typical usage:
     for non root user
   httpd -p 8080 -h $HOME/public_html
     or for daemon start from rc script with uid=0:
   httpd -u www
   This is equivalent if www user have uid=80 to
   httpd -p 80 -u 80 -h /www -c /etc/httpd.conf -r "Web Server Authentication"

   When a url starts by "/cgi-bin/" it is assumed to be a cgi script.  The
   server changes directory to the location of the script and executes it
   after setting QUERY_STRING and other environment variables.

   "CGI Environment Variables": http://hoohoo.ncsa.uiuc.edu/cgi/env.html

   The applet can also be invoked as a url arg decoder and html text encoder
   as follows:
    foo=`httpd -d $foo`           # decode "Hello%20World" as "Hello World"
    bar=`httpd -e "<Hello World>"`  # encode as "&#60Hello&#32World&#62"
   Note that url encoding for arguments is not the same as html encoding for
   presentation.  -d decodes an url-encoded argument while -e encodes in html
   for page display.

   httpd.conf has the following format:

   H:/serverroot     # define the server root. It will override -h
   A:172.20.         # Allow address from
   A:     # Allow any address from
   A:  # Allow any address that previous set
   A:       # Allow local loopback connections
   D:*               # Deny from other IP connections
   E404:/path/e404.html # /path/e404.html is the 404 (not found) error page
   I:index.html      # Show index.html when a directory is requested

                     # When /urlXXXXXX is requested, reverse proxy
                     # it to http://hostname[:port]/new/pathXXXXXX

   /cgi-bin:foo:bar  # Require user foo, pwd bar on urls starting with /cgi-bin/
   /adm:admin:setup  # Require user admin, pwd setup on urls starting with /adm/
   /adm:toor:PaSsWd  # or user toor, pwd PaSsWd on urls starting with /adm/
   .au:audio/basic   # additional mime type for audio.au files
   *.php:/path/php   # run xxx.php through an interpreter

   A/D may be as a/d or allow/deny - only first char matters.
   Deny/Allow IP logic:
    - Default is to allow all (Allow all (A:*) is a no-op).
    - Deny rules take precedence over allow rules.
    - "Deny all" rule (D:*) is applied last.

   If a sub directory contains a config file it is parsed and merged with
   any existing settings as if it was appended to the original configuration.

   subdir paths are relative to the containing subdir and thus cannot
   affect the parent rules.

   Note that since the sub dir is parsed in the forked thread servicing the
   subdir http request, any merge is discarded when the process exits.  As a
   result, the subdir settings only have a lifetime of a single request.

   Custom error pages can contain an absolute path or be relative to
   'home_httpd'. Error pages are to be static files (no CGI or script). Error
   page can only be defined in the root configuration file and are not taken
   into account in local (directories) config files.

   If -c is not set, an attempt will be made to open the default
   root configuration file.  If -c is set and the file is not found, the
   server exits with an error.