diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 9686b70..e5082cf 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -1,5 +1,5 @@
 #
-name: Create and publish a Docker image
+name: Create and publish a Docker image on master
 
 # Configures this workflow to run every time a change is pushed to the branch called `master`.
 on:
diff --git a/.github/workflows/publishBranches.yml b/.github/workflows/publishBranches.yml
index 85b2505..ea4646b 100644
--- a/.github/workflows/publishBranches.yml
+++ b/.github/workflows/publishBranches.yml
@@ -1,5 +1,5 @@
 #
-name: Create and publish a Docker image
+name: Create and publish a Docker image on a branch
 
 # Configures this workflow to run every time a change is pushed to the branch called `master`.
 on:
diff --git a/Dockerfile b/Dockerfile
index 8d03b21..09264c6 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,49 +1,63 @@
-#FROM ubuntu:16.04
-FROM ubuntu:22.04
+FROM debian:bookworm-slim AS builder
 
-RUN DEBIAN_FRONTEND=noninteractive TZ=Etc/UTC apt-get update && apt-get -y install tzdata && apt-get -y clean
+ARG DEBIAN_FRONTEND=noninteractive 
 
-RUN apt-get update && apt-get install -y --no-install-recommends apt-utils && apt-get -y clean
+RUN apt-get update && apt-get -y --no-install-recommends install \
+		wget \
+		ca-certificates
+
+RUN cd /tmp && \
+	wget https://download.brother.com/welcome/dlf105200/brscan4-0.4.11-1.amd64.deb
+
+RUN cd /tmp && \
+	wget https://download.brother.com/welcome/dlf006652/brscan-skey-0.3.1-2.amd64.deb
+
+FROM debian:bookworm-slim
 
-RUN apt-get -y update && apt-get -y upgrade && apt-get -y clean
-RUN apt-get -y install \
+ARG DEBIAN_FRONTEND=noninteractive 
+
+RUN apt-get update && apt-get -y --no-install-recommends install \
 		sane \
 		sane-utils \
+		netbase \
 		ghostscript \
 		netpbm \
-		x11-common \
-		wget \
 		graphicsmagick \
 		curl \
 		ssh \
 		sshpass \
 		lighttpd \
         php-cgi \
-        php-curl \
-		sudo \
 		iproute2 \
+		iputils-ping \
 		&& apt-get -y clean
 
+COPY --from=builder /tmp/brscan4-0.4.11-1.amd64.deb /tmp/brscan4-0.4.11-1.amd64.deb
 RUN cd /tmp && \
-	wget https://download.brother.com/welcome/dlf105200/brscan4-0.4.11-1.amd64.deb && \
 	dpkg -i /tmp/brscan4-0.4.11-1.amd64.deb && \
 	rm /tmp/brscan4-0.4.11-1.amd64.deb
 
+COPY --from=builder /tmp/brscan-skey-0.3.1-2.amd64.deb /tmp/brscan-skey-0.3.1-2.amd64.deb
 RUN cd /tmp && \
-	wget https://download.brother.com/welcome/dlf006652/brscan-skey-0.3.1-2.amd64.deb && \
 	dpkg -i /tmp/brscan-skey-0.3.1-2.amd64.deb && \
 	rm /tmp/brscan-skey-0.3.1-2.amd64.deb
 
-ADD files/runScanner.sh /opt/brother/runScanner.sh
-COPY script /opt/brother/scanner/brscan-skey/script
+RUN lighty-enable-mod auth || true; \
+    lighty-enable-mod fastcgi || true; \
+    lighty-enable-mod fastcgi-php || true; \
+    lighty-enable-mod access || true
+
+RUN cat <<EOF >> /etc/lighttpd/lighttpd.conf
+\$HTTP["url"] =~ "^/lib" {
+	url.access-deny = ("")
+}
+EOF
 
-RUN cp /etc/lighttpd/conf-available/05-auth.conf /etc/lighttpd/conf-enabled/
-RUN cp /etc/lighttpd/conf-available/15-fastcgi-php.conf /etc/lighttpd/conf-enabled/
-RUN cp /etc/lighttpd/conf-available/10-fastcgi.conf /etc/lighttpd/conf-enabled/
 RUN mkdir -p /var/run/lighttpd
 RUN touch /var/run/lighttpd/php-fastcgi.socket
 RUN chown -R www-data /var/run/lighttpd
-RUN echo 'www-data ALL=(NAS) NOPASSWD:ALL' >> /etc/sudoers
+
+ENV TZ=Etc/UTC
 
 ENV NAME="Scanner"
 ENV MODEL="MFC-L2700DW"
@@ -63,21 +77,16 @@ ENV FTP_HOST=""
 # Make sure this ends in a slash.
 ENV FTP_PATH="/scans/" 
 
-EXPOSE 54925
-EXPOSE 54921
-EXPOSE 80
 
-ADD files/gui/index.php /var/www/html
-ADD files/gui/main.css /var/www/html
-ADD files/api/scan.php /var/www/html
-ADD files/api/active.php /var/www/html
-ADD files/api/list.php /var/www/html
-ADD files/api/download.php /var/www/html
+COPY files/gui/ /var/www/html
+COPY files/api/ /var/www/html
+
+COPY files/runScanner.sh /opt/brother/runScanner.sh
+COPY script /opt/brother/scanner/brscan-skey/script
+
 RUN chown -R www-data /var/www/
 
 #directory for scans:
 VOLUME /scans
 
-CMD /opt/brother/runScanner.sh
-
-
+CMD /opt/brother/runScanner.sh
\ No newline at end of file
diff --git a/README.md b/README.md
index 230ddcc..8d70651 100644
--- a/README.md
+++ b/README.md
@@ -25,7 +25,6 @@ services:
             - /path/on/host:/scans 
         ports:
             - 54925:54925/udp # mandatory, for scanner tools
-            - 54921:54921 # mandatory, for scanner tools
             - 161:161/udp # mandatory, for scanner tools
         environment:
             - NAME=Scanner
@@ -86,7 +85,8 @@ You can configure the tool via environment variables:
 
 | Variable | Type | Description |
 | ------------- | ------------- | ------------- |
-| NAME  | mandatory | Arbitrary name to give your scanner. Displayed on scanner, if multiple servers are running. |
+| NAME  | mandatory | Arbitrary name to give your scanner. |
+| USERNAME  | optional | Displayed on scanner, if multiple servers are running. |
 | MODEL  | mandatory | Model of your scanner (e.g., MFC-L2700DW) |
 | IPADDRESS | mandatory | IP Address of your scanner |
 | RESOLUTION | optional | DPI resolution of scan, refer to capabilities of printer on startup |
@@ -101,16 +101,13 @@ You can configure the tool via environment variables:
 | OCR_SERVER | optional | Hostname of an OCR server (see below) |
 | OCR_PORT | optional | Port of an OCR server (see below) |
 | OCR_PATH | optional | Path of an OCR server (see below) |
-| WEBSERVER | optional | activates GUI & API (default:false) (see below) |
-| PORT | optional | sets port for webserver (default: 80) |
-| DISABLE_GUI_SCANTOFILE | optional | deactivates button "Scan to file" (default: false) |
-| DISABLE_GUI_SCANTOEMAIL | optional | deactivates button "Scan to e-mail" |
-| DISABLE_GUI_SCANTOIMAGE | optional | deactivates button "Scan to image" |
-| DISABLE_GUI_SCANTOOCR | optional | deactivates button "Scan to OCR" |
-| RENAME_GUI_SCANTOFILE="Scan front pages" | optional | renames GUI button "Scan to file" to "Scan front pages" |
-| RENAME_GUI_SCANTOEMAIL="Scan rear pages" | optional | renames GUI button "Scan to email" to "Scan rear pages" |
-| RENAME_GUI_SCANTOIMAGE="Scan photo" | optional | renames GUI button "Scan to image" to "Scan photo" |
-| RENAME_GUI_SCANTOOCR="Scan High-Res" | optional | renames GUI button "Scan to OCR" to "Scan High-Res" |
+| WEBSERVER_ENABLE | optional | activates GUI & API (default:false) (see below) |
+| WEBSERVER_PING_ENABLE | optional | activates ping service to check if scanner offline |
+| WEBSERVER_PORT | optional | sets port for webserver (default: 80) |
+| WEBSERVER_LABEL_SCANTOFILE | optional | empty to hide button (default: "Scan to file") |
+| WEBSERVER_LABEL_SCANTOEMAIL | optional | empty to hide button (default: "Scan to email") |
+| WEBSERVER_LABEL_SCANTOIMAGE | optional | empty to hide button (default: "Scan to image") |
+| WEBSERVER_LABEL_SCANTOOCR | optional | empty to hide button (default: "Scan to OCR") |
 | USE_JPEG_COMPRESSION | optional | use JPEG compression when creating PDFs |
 
 ### FTPS upload
@@ -161,12 +158,13 @@ By default, the image uses port 80, but you may configure that.
 Additionally, for the GUI, you can rename and hide individual functions.
 here is an example of the environment:
 ```
-- WEBSERVER=true # optional, activates GUI & API
-- PORT=33355 # optional, sets port for webserver (default: 80)
-- DISABLE_GUI_SCANTOIMAGE=true # optional, deactivates button "Scan to image"
-- DISABLE_GUI_SCANTOOCR=true # optional, deactivates button "Scan to OCR"
-- RENAME_GUI_SCANTOFILE="Scan front pages" # optional, renames button "Scan to file" to "Scan front pages"
-- RENAME_GUI_SCANTOEMAIL="Scan rear pages" # optional, renames button "Scan to email" to "Scan rear pages"
+- WEBSERVER_ENABLE= # optional, activates GUI & API
+- WEBSERVER_PING_ENABLE= # optional, if enabled scanner status is `online`, `offline`, `scanning` (see status.php)
+- WEBSERVER_PORT=33355 # optional, sets port for webserver (default: 80)
+- WEBSERVER_LABEL_SCANTOIMAGE= # optional, hides button "Scan to image"
+- WEBSERVER_LABEL_SCANTOOCR= # optional, hides button "Scan to OCR"
+- WEBSERVER_LABEL_SCANTOFILE="Scan front pages" # optional, renames button "Scan to file" to "Scan front pages"
+- WEBSERVER_LABEL_SCANTOEMAIL="Scan rear pages" # optional, renames button "Scan to email" to "Scan rear pages"
 ```
 
 #### GUI
@@ -180,7 +178,7 @@ Thus, make sure to wait for your scan to complete, before pressing another butto
 #### API
 The GUI uses a minimal "API" at the backend, which you can also use from other tooling (e.g., Home Assistant or a control panel near your printer).
 To scan, simply call `http://<ContainerIP>:<Port>/scan.php?target=<file|email|image|OCR>`
-Also check out the endpoints `list.php`, `download.php`, `active.php`.
+Also check out the endpoints `list.php`, `listfiles.php`, `download.php`, `active.php` and `status.php`.
 Maybe one day an OpenAPI Spec will be included.
 
 ## Full Docker Compose Example
@@ -195,10 +193,8 @@ services:
         volumes:
             - /path/on/host:/scans
         ports:
-            - 33355:33355
+            - 33355:33355 # example webserver port
             - 54925:54925/udp # mandatory, for scanner tools
-            - 54921:54921 # mandatory, for scanner tools
-            - 161:161/udp # mandatory, for scanner tools
         environment:
             - NAME=Scanner
             - MODEL=MFC-L2700DW
@@ -210,12 +206,13 @@ services:
             - UID=1000 # optional, for /scans permissions
             - GID=1000 # optional, for /scans permissions
             - TZ=Europe/Berlin # optional, for correct time in scanned filenames
-            - WEBSERVER=true # optional, activates GUI & API
+            - WEBSERVER_ENABLE= # optional, activates GUI & API
+            - WEBSERVER_PING_ENABLE= # optional, activates ping service to check if scanner offline
             - PORT=33355 # optional, sets port for webserver (default: 80)
-            - DISABLE_GUI_SCANTOIMAGE=true # optional, deactivates button "Scan to image"
-            - DISABLE_GUI_SCANTOOCR=true # optional, deactivates button "Scan to OCR"
-            - RENAME_GUI_SCANTOFILE="Scan front pages" # optional, renames button "Scan to file" to "Scan front pages"
-            - RENAME_GUI_SCANTOEMAIL="Scan rear pages" # optional, renames button "Scan to email" to "Scan rear pages"
+            - WEBSERVER_LABEL_SCANTOIMAGE= # optional, deactivates button "Scan to image"
+            - WEBSERVER_LABEL_SCANTOOCR=true # optional, deactivates button "Scan to OCR"
+            - WEBSERVER_LABEL_SCANTOFILE="Scan front pages" # optional, renames button "Scan to file" to "Scan front pages"
+            - WEBSERVER_LABEL_SCANTOEMAIL="Scan rear pages" # optional, renames button "Scan to email" to "Scan rear pages"
         restart: unless-stopped
 
     # optional, for OCR
diff --git a/files/api/download.php b/files/api/download.php
index 1ced9b7..75de4db 100644
--- a/files/api/download.php
+++ b/files/api/download.php
@@ -1,23 +1,26 @@
 <?php
+include_once(__DIR__."/lib/lib.php");
+
 if ($_SERVER['REQUEST_METHOD'] == 'GET') {
+
+
         if(array_key_exists("file", $_GET)) {
-                $file = $_GET["file"];
-                if(str_contains($file, "..") || str_contains($file, "/")) {
-                        header($_SERVER["SERVER_PROTOCOL"] . " 400 OK");
-                        die("Error: Dont't be evil!");
-                }
-                $filename="/scans/".$file;
-                if(file_exists($filename)) {
-                        header("Content-type:application/pdf");
-                        header("Content-Disposition:attachment;filename=\"scan.pdf\"");
-                        readfile($filename);
+                $filename = $_GET["file"];
+                $filepath=$SCANS_DIR . $filename;
+                if(file_exists($filepath) && is_sub_path($filepath, $SCANS_DIR)) {
+                        header("Content-type: " . (mime_content_type($filepath) || 'application/octet-stream'));
+                        header("Content-Disposition: attachment; filename=\"" . $filename . "\"");
+                        readfile($filepath);
                 } else {
-                        header($_SERVER["SERVER_PROTOCOL"] . " 400 OK");
+                        http_response_code(404);
                         die("Error: File does not exist!");
                 }
         } else {
-                header($_SERVER["SERVER_PROTOCOL"] . " 400 OK");
+                http_response_code(400);
                 die("Error: No file provided!");
         }
+} else {
+        http_response_code(405);
+        die("Error: Method not allowed!");
 }
 ?>
\ No newline at end of file
diff --git a/files/api/lib/lib.php b/files/api/lib/lib.php
new file mode 100644
index 0000000..863d21a
--- /dev/null
+++ b/files/api/lib/lib.php
@@ -0,0 +1,8 @@
+<?php
+include_once(__DIR__."/listfiles.php");
+include_once(__DIR__."/subdircheck.php");
+
+// constants
+$SCANS_DIR = "/scans";
+$SCRIPTS_DIR = "/opt/brother/scanner/brscan-skey/script";
+?>
\ No newline at end of file
diff --git a/files/api/lib/listfiles.php b/files/api/lib/listfiles.php
new file mode 100644
index 0000000..ebbb075
--- /dev/null
+++ b/files/api/lib/listfiles.php
@@ -0,0 +1,68 @@
+<?php
+
+// Define constants for sorting flags
+define('GETFILELIST_SORT_NAME_ASC', 1);
+define('GETFILELIST_SORT_NAME_DESC', 2);
+define('GETFILELIST_SORT_CREATEDATE_ASC', 4);
+define('GETFILELIST_SORT_CREATEDATE_DESC', 8);
+define('GETFILELIST_SORT_MODIFYDATE_ASC', 16);
+define('GETFILELIST_SORT_MODIFYDATE_DESC', 32);
+define('GETFILELIST_SORT_DIRNAME_ASC', 64);
+define('GETFILELIST_SORT_DIRNAME_DESC', 128);
+
+function getFileList($path, $sortFlags = GETFILELIST_SORT_NAME_ASC) {
+    // Check if the directory exists
+    if (!is_dir($path)) {
+        return [];
+    }
+
+    $files = [];
+
+    // Helper function to sort by various criteria
+    $sortFunction = function ($a, $b) use ($sortFlags) {
+        if ($sortFlags & GETFILELIST_SORT_NAME_ASC || $sortFlags & GETFILELIST_SORT_NAME_DESC) {
+            return strnatcasecmp($a, $b);
+        } elseif ($sortFlags & GETFILELIST_SORT_CREATEDATE_ASC) {
+            return filectime($a) - filectime($b);
+        } elseif ($sortFlags & GETFILELIST_SORT_CREATEDATE_DESC) {
+            return filectime($b) - filectime($a);
+        } elseif ($sortFlags & GETFILELIST_SORT_MODIFYDATE_ASC) {
+            return filemtime($a) - filemtime($b);
+        } elseif ($sortFlags & GETFILELIST_SORT_MODIFYDATE_DESC) {
+            return filemtime($b) - filemtime($a);
+        } elseif ($sortFlags & GETFILELIST_SORT_DIRNAME_ASC) {
+            return strnatcasecmp(dirname($a), dirname($b));
+        } elseif ($sortFlags & GETFILELIST_SORT_DIRNAME_DESC) {
+            return strnatcasecmp(dirname($b), dirname($a));
+        }
+        return strnatcasecmp($a, $b); // Default sort by name
+    };
+
+    // Helper function to recursively iterate over directories
+    $iterateDir = function ($dir) use (&$files, &$iterateDir, $sortFlags, $sortFunction) {
+        $contents = scandir($dir);
+        if ($contents === false) {
+            return;
+        }
+        foreach ($contents as $item) {
+            if ($item == '.' || $item == '..') {
+                continue;
+            }
+            $fullPath = $dir . DIRECTORY_SEPARATOR . $item;
+            if (is_dir($fullPath)) {
+                $iterateDir($fullPath);
+            } else {
+                $files[] = $fullPath;
+            }
+        }
+    };
+
+    $iterateDir($path);
+
+    // Sorting
+    usort($files, $sortFunction);
+
+    return $files;
+}
+
+?>
\ No newline at end of file
diff --git a/files/api/lib/subdircheck.php b/files/api/lib/subdircheck.php
new file mode 100644
index 0000000..766bcc9
--- /dev/null
+++ b/files/api/lib/subdircheck.php
@@ -0,0 +1,13 @@
+<?php
+
+function is_sub_path($path, $parent_folder) {
+    $path = realpath($path);
+    $parent_folder = realpath($parent_folder);
+
+    if ($path !== false && $parent_folder !== false) {
+        return strpos($path, $parent_folder) === 0;
+    }
+
+    return false;
+}
+?>
\ No newline at end of file
diff --git a/files/api/list.php b/files/api/list.php
index 13369ff..82c65b8 100644
--- a/files/api/list.php
+++ b/files/api/list.php
@@ -1,13 +1,14 @@
 <?php
+include_once(__DIR__."/lib/lib.php");
 if ($_SERVER['REQUEST_METHOD'] == 'GET') {
-        $files = scandir("/scans", SCANDIR_SORT_DESCENDING);
-        if(array_key_exists("num", $_GET)) {
-                $num = $_GET["num"];
-        } else {
-                $num = count($files);
-        }
+        $files = getFileList($SCANS_DIR, GETFILELIST_SORT_CREATEDATE_DESC);
+        
+        $num = $_GET["num"] ?? count($files);
         for ($i = 0; $i < $num; $i++) {
-                echo $files[$i]."<br>";
+                echo str_replace($SCANS_DIR."/", "", $files[$i])."<br>";
         }
+} else {
+        http_response_code(405);
+        die("Error: Method not allowed!");
 }
-?>
\ No newline at end of file
+?>
diff --git a/files/api/listfiles.php b/files/api/listfiles.php
new file mode 100644
index 0000000..90e641b
--- /dev/null
+++ b/files/api/listfiles.php
@@ -0,0 +1,16 @@
+<?php
+include_once(__DIR__."/lib/lib.php");
+
+if ($_SERVER['REQUEST_METHOD'] == 'GET') {
+
+    $files = getFileList($SCANS_DIR, GETFILELIST_SORT_CREATEDATE_DESC);
+    for ($i = 0; $i < min(10, count($files)); $i++) {
+            $replaced = str_replace($SCANS_DIR."/", "", $files[$i]);
+            echo "<a class='listitem' href=/download.php?file=" . $replaced . ">" . $replaced . "</a><br>";
+    }
+}
+else {
+    http_response_code(405);
+    die("Error: Method not allowed!");
+}
+?>
\ No newline at end of file
diff --git a/files/api/scan.php b/files/api/scan.php
index ddfa94e..d11ff84 100644
--- a/files/api/scan.php
+++ b/files/api/scan.php
@@ -3,31 +3,39 @@
 ini_set('display_startup_errors', 1);
 error_reporting(E_ALL);
 
-include 'config.php';
+include_once(__DIR__."/lib/config.php");
+include_once(__DIR__."/lib/lib.php");
 
-if ($_SERVER['REQUEST_METHOD'] == 'POST') {
-        $target = $_POST["target"];
-} else if ($_SERVER['REQUEST_METHOD'] == 'GET') {
-        $target = $_GET["target"];
+function exit_error() {
+        http_response_code(400);
+        die("Error: Thou shalt not inject unknown script names!");
 }
 
+
+$target = $_POST["target"] ?? ($_GET["target"] ?? '');
+
 if (empty($target)) {
-        header($_SERVER["SERVER_PROTOCOL"] . " 400 OK");
+        http_response_code(400);
         die("Error: No scanning function selected (try append: ?target=<file|email|image|ocr>)");
 }
 if (in_array($target, array('file','email','image','ocr'))) {
+
+        $script = $SCRIPTS_DIR . "/scanto" . $target . ".sh";
+
+        if(!is_sub_path($script, $SCRIPTS_DIR)) {
+                exit_error();
+        }
         if ($_SERVER['REQUEST_METHOD'] == 'POST') {
                 //return immediately
-                $handle = popen('sudo -b -u \#'.$UID.' /opt/brother/scanner/brscan-skey/script/scanto'.$target.'.sh', 'r');
+                $handle = popen($script, 'r');
         } else if ($_SERVER['REQUEST_METHOD'] == 'GET') {
                 //wait for completion
-                $output=shell_exec('sudo -u \#'.$UID.' /opt/brother/scanner/brscan-skey/script/scanto'.$target.'.sh');
+                $output=shell_exec($script);
         }
 }
 else
 {
-        header($_SERVER["SERVER_PROTOCOL"] . " 400 OK");
-        die("Error: Thou shalt not inject unknown script names!");
+        exit_error();
 }
 
 //TODO: Fix serving of file on get
diff --git a/files/api/status.php b/files/api/status.php
new file mode 100644
index 0000000..5c68d12
--- /dev/null
+++ b/files/api/status.php
@@ -0,0 +1,14 @@
+<?php
+include_once(__DIR__."/lib/config.php");
+
+exec("ps aux | grep '[s]canimage'", $output, $retVal);
+if(!empty($output)) {
+    echo("scanning");
+} else {
+    if (str_contains(file_get_contents(__DIR__ . '/reachable.txt'), '1')) {
+        echo("online");
+    } else {
+        echo("offline");
+    }
+}
+?>
\ No newline at end of file
diff --git a/files/gui/index.php b/files/gui/index.php
index bb8f3fd..675cf71 100644
--- a/files/gui/index.php
+++ b/files/gui/index.php
@@ -1,62 +1,77 @@
+<?php include(__DIR__.'/lib/config.php'); ?>
 <html>
 <head>
-<?php include 'config.php'; ?>
 <meta name="viewport" content="width=device-width, initial-scale=1.0">
 <link rel="stylesheet" href="main.css">
 <title>Brother <?php echo($MODEL); ?></title>
-<?php
-	if (isset($RENAME_GUI_SCANTOFILE) && $RENAME_GUI_SCANTOFILE) {
-		$button_file = $RENAME_GUI_SCANTOFILE;
-	} else {
-		$button_file = "Scan to file";
-	}
-	if (isset($RENAME_GUI_SCANTOEMAIL) && $RENAME_GUI_SCANTOEMAIL) {
-		$button_email = $RENAME_GUI_SCANTOEMAIL;
-	} else {
-		$button_email = "Scan to email";
-	}
-	if (isset($RENAME_GUI_SCANTOIMAGE) && $RENAME_GUI_SCANTOIMAGE) {
-		$button_image = $RENAME_GUI_SCANTOIMAGE;
-	} else {
-		$button_image = "Scan to image";
-	}
-	if (isset($RENAME_GUI_SCANTOOCR) && $RENAME_GUI_SCANTOOCR) {
-		$button_ocr = $RENAME_GUI_SCANTOOCR;
-	} else {
-		$button_ocr = "Scan to OCR";
-	}
-?>
-
+	<script>
+		let state = "offline";
+		let init_done = false;
+		async function start_scan(target, self) {
+			if (state !== "online") {
+				return;
+			}
+			// assume command succeeds
+			state = "scanning";
+			lock_ui(true, false);
+			self.classList.toggle('loading', true);
+			fetch("/scan.php?target=" + target, { method: "POST" });
+		}
+		function lock_ui(lock, is_init) {
+			console.log("buttons " + (lock ? 'locked' : 'unlocked'));
+			if (!is_init) {
+				document.querySelector("#status").innerText = (state === "scanning" ? 'Scanning' : (state === "online" ? 'Ready to scan' : "Offline"));
+				document.querySelector(".scanner").classList.toggle('hidden', (state !== "scanning"));
+			}
+			document.querySelectorAll(".submit").forEach(e => e.disabled = lock);
+			if(!lock) {
+				document.querySelectorAll(".submit").forEach(e => e.classList.remove('loading'));
+			}
+		}
+		async function fetch_files() {
+			//todo: maybe compare and merge changes
+			const response = await fetch("/listfiles.php");
+			const raw_html = (await response.text()) ?? '';
+			//put into files section
+			document.querySelector("#files").innerHTML = raw_html;
+		}
+		async function init() {
+			// get active state from backend
+			const response = await fetch("/status.php");
+			const new_state = await response.text()
+			if (new_state != state || !init_done) {
+				state = new_state;
+				// lock buttons if offline or scanning
+				lock_ui(!(state === "online"), false);
+			}
+			await fetch_files();
+			init_done = true;
+			// wait 1s
+			setTimeout(init, 1000);
+		}
+	</script>
 </head>
-<body>
+<body onload="lock_ui(true, true); init();">
 	<div class="form">
 			<div class="title">Brother <?php echo($MODEL); ?></div>
+			<div class="subtitle">Status: <span class="status" id="status">Loading...</span></div>
+			<div class="scanner-wrapper"><div class="scanner hidden"></div></div>
 			<div class="cut cut-long"></div>
-			<form target="hiddenFrame" action="/scan.php" method="post">
 				<?php 
-				   if (!isset($DISABLE_GUI_SCANTOFILE) || $DISABLE_GUI_SCANTOFILE != true) {
-						echo('<button type="submit" name="target" value="file" class="submit">'.$button_file.'</button>');
-				   }
-				   if (!isset($DISABLE_GUI_SCANTOEMAIL) || $DISABLE_GUI_SCANTOEMAIL != true) {
-						echo('<button type="submit" name="target" value="email" class="submit">'.$button_email.'</button>');
-				   }
-				   if (!isset($DISABLE_GUI_SCANTOIMAGE) || $DISABLE_GUI_SCANTOIMAGE != true) {
-						echo('<button type="submit" name="target" value="image" class="submit">'.$button_image.'</button>');
-				   }
-				   if (!isset($DISABLE_GUI_SCANTOOCR) || $DISABLE_GUI_SCANTOOCR != true) {
-						echo('<button type="submit" name="target" value="ocr" class="submit">'.$button_ocr.'</button>');
-				   }
+					$labels = array(
+						'file' => $WEBSERVER_LABEL_SCANTOFILE,
+						'email' => $WEBSERVER_LABEL_SCANTOEMAIL,
+						'image' => $WEBSERVER_LABEL_SCANTOIMAGE,
+						'ocr' => $WEBSERVER_LABEL_SCANTOOCR
+					);
+					$labels = array_filter($labels, function($v) { return $v !== null && strlen($v) !== 0; });
+					foreach ($labels as $func => $label) {
+						echo('<button onclick="start_scan(\''. $func .'\', this)" class="submit">'.$label.'</button>');
+					}
 			   ?>
-			</form>
-			<iframe hidden style="" name="transFrame" id="transFrame"></iframe>
 			<div class="subtitle">Last scanned:</div>
-			<?php
-					$files = scandir("/scans", SCANDIR_SORT_DESCENDING);
-					for ($i = 0; $i < 10; $i++) {
-							echo "<a class='listitem' href=/download.php?file=".$files[$i].">".$files[$i]."</a><br>";
-					}
-			?>
+			<div id="files">
+			</div>
 	</div>
 </body>
-</html>
-
+</html>
\ No newline at end of file
diff --git a/files/gui/main.css b/files/gui/main.css
index 2b75f44..c304f64 100644
--- a/files/gui/main.css
+++ b/files/gui/main.css
@@ -1,21 +1,21 @@
-#based on https://codepen.io/ainalem/pen/GRqPwoz
+/*based on https://codepen.io/ainalem/pen/GRqPwoz */
 
 body {
   align-items: center;
   background-color: #000;
   display: flex;
   justify-content: center;
-  height: 100vh;
+  height: 100dvh;
 }
 
 .form {
   background-color: #15172b;
   border-radius: 20px;
   box-sizing: border-box;
-#  height: 550px;
-#  height: 100%;
+  /* height: 550px; */
+  /* height: 100%; */
   padding: 20px;
-#  width: 320px;
+  /* width: 320px; */
 }
 
 .title {
@@ -134,11 +134,88 @@ body {
   font-size: 18px;
   height: 50px;
   margin-top: 30px;
-  // outline: 0;
+  /* outline: 0; */
   text-align: center;
   width: 100%;
+  justify-content: space-evenly;
+  flex-direction: row;
+  align-items: center;
+  transition: all 0.5s;
 }
 
 .submit:active {
   background-color: #06b;
 }
+.submit:disabled {
+	cursor: unset;
+	background-color: #00558a!important;
+}
+
+@media (prefers-color-scheme: dark) {
+	body {
+		background-color: #07070e;
+	}
+}
+.scanner-wrapper {
+	margin-top: 1rem;
+	--scanner-height: 65px;
+	--scanner-width: 40px;
+	height: var(--scanner-height);
+	width: 100%;
+}
+.scanner {
+	position: relative;
+	height: 100%;
+	width: var(--scanner-width);
+	border: 2px solid white;
+	background-image: repeating-linear-gradient(0deg, #b6b6b6, #b6b6b6 1px, transparent 1px, transparent);
+	background-size: 6px 6px;
+}
+.scanner::after {
+	--scanner-line-width: calc(var(--scanner-width) * 1.4);
+	content: ' ';
+	position: absolute;
+	width: var(--scanner-line-width);
+	top: 0;
+	left: calc((var(--scanner-width) - var(--scanner-line-width)) / 2);
+	height: 3px;
+	background-color: red;
+	animation: scanning 0.8s linear infinite;
+}
+@keyframes scanning {
+	50% {
+		transform: translate(0, var(--scanner-height));
+	}
+}
+.hidden {
+	display: none;
+}
+
+.submit::after {
+  content: '';
+  display: inline-block;
+  width: 0px;
+  height: 0px;
+  border-radius: 50%;
+  transition: all 0.5s;
+
+}
+.loading {
+  display: flex;
+}
+.loading::after {
+  width: 20px;
+  height: 20px;
+  border: 2px solid #808097;
+  border-top-color: white;
+  animation: rotating 1s linear infinite;
+}
+
+@keyframes rotating {
+  0% {
+    transform: rotate(0deg);
+  }
+  100% {
+    transform: rotate(360deg);
+  }
+}
\ No newline at end of file
diff --git a/files/runScanner.sh b/files/runScanner.sh
index bffb90a..65fa662 100755
--- a/files/runScanner.sh
+++ b/files/runScanner.sh
@@ -1,18 +1,26 @@
 #!/bin/bash
-echo "setting up user & logfile:"
-if [[ -z ${UID} ]]; then
-	UID=1000
-fi
-if [[ -z ${GID} ]]; then
-	GID=1000
+
+mandatory_vars=(NAME MODEL IPADDRESS)
+missing=0
+for var in "${mandatory_vars[@]}"
+do
+	if [[ -z "${!var}" ]]; then
+		echo "missing mandatory variable: $var"
+		missing=1
+	fi
+done
+if [[ $missing -eq 1 ]]; then
+	echo "exiting"
+	exit 1
 fi
-groupadd --gid $GID NAS
-adduser $USERNAME --uid $UID --gid $GID --disabled-password --force-badname --gecos ""
+
+echo "setting up logfile"
+
 mkdir -p /scans
 chmod 777 /scans
 touch /var/log/scanner.log
-chown $USERNAME /var/log/scanner.log
-env > /opt/brother/scanner/env.txt
+chmod 777 /var/log/scanner.log
+export > /opt/brother/scanner/shell_env.txt
 chmod -R 777 /opt/brother
 echo "-----"
 
@@ -34,59 +42,76 @@ sed -i 's/^ip_address=.*//' /opt/brother/scanner/brscan-skey/brscan-skey.config
 if [[ -z "$HOST_IPADDRESS" ]]; then
 	echo "no host IP configured, using default discovery"
 else
+	echo "using host IP: $HOST_IPADDRESS"
 	echo "ip_address=$HOST_IPADDRESS" >> /opt/brother/scanner/brscan-skey/brscan-skey.config
 fi
 echo "-----"
 
+echo "setting up username:"
+sed -i 's/^user=.*//' /opt/brother/scanner/brscan-skey/brscan-skey.config
+echo "user=${USERNAME:-docker}" >> /opt/brother/scanner/brscan-skey/brscan-skey.config
+echo "using username: ${USERNAME:-docker}"
+echo "-----"
+
 echo "whole config:"
 cat /opt/brother/scanner/brscan-skey/brscan-skey.config
 echo "-----"
 
 echo "starting scanner drivers..."
-su - $USERNAME -c "/usr/bin/brsaneconfig4 -a name=$NAME model=$MODEL ip=$IPADDRESS"
-su - $USERNAME -c "/usr/bin/brscan-skey"
+driver_cmds=("/usr/bin/brsaneconfig4 -a name=$NAME model=$MODEL ip=$IPADDRESS" /usr/bin/brscan-skey)
+for cmd in "${driver_cmds[@]}"
+do
+	#check if failed
+	$cmd
+	if [ $? -ne 0 ]; then
+		echo "failed to start: `$cmd`"
+		exit 1
+	fi
+done
+echo "-----"
+
+echo "setting up script permissions..."
+#change ownership of scripts to root and setuid
+chown root /opt/brother/scanner/brscan-skey/script/*.sh
+chmod u+s /opt/brother/scanner/brscan-skey/script/*.sh
+chmod o+x /opt/brother/scanner/brscan-skey/script/*.sh
+
 echo "-----"
 
 echo "setting up webserver:"
-if [ "$WEBSERVER" == "true" ]; then
+
+if [ -n "${WEBSERVER_ENABLE+x}" ]; then
+
+	if [ -n "${WEBSERVER_PING_ENABLE+x}" ]; then
+		echo "enabling ping status"
+		(
+			while true; do
+				if /usr/bin/ping -c 1 $IPADDRESS > /dev/null; then
+					echo "1" > /var/www/html/reachable.txt
+				else
+					echo "0" > /var/www/html/reachable.txt
+				fi
+				sleep 1
+			done
+		) &
+		
+	fi
+
 	echo "starting webserver for API & GUI..."
 	{
 		echo "<?php"
-		echo "\$UID=$UID;"
-		echo "\$MODEL=\"$MODEL\";"
-		if [[ -n "$RENAME_GUI_SCANTOFILE" ]]; then
-			echo "\$RENAME_GUI_SCANTOFILE=$RENAME_GUI_SCANTOFILE;"
-		fi
-		if [[ -n "$RENAME_GUI_SCANTOEMAIL" ]]; then
-			echo "\$RENAME_GUI_SCANTOEMAIL=$RENAME_GUI_SCANTOEMAIL;"
-		fi
-		if [[ -n "$RENAME_GUI_SCANTOIMAGE" ]]; then
-			echo "\$RENAME_GUI_SCANTOIMAGE=$RENAME_GUI_SCANTOIMAGE;"
-		fi
-		if [[ -n "$RENAME_GUI_SCANTOOCR" ]]; then
-			echo "\$RENAME_GUI_SCANTOOCR=$RENAME_GUI_SCANTOOCR;"
-		fi
-		if [[ -n "$DISABLE_GUI_SCANTOFILE" ]]; then
-			echo "\$DISABLE_GUI_SCANTOFILE=$DISABLE_GUI_SCANTOFILE;"
-		fi
-		if [[ -n "$DISABLE_GUI_SCANTOEMAIL" ]]; then
-			echo "\$DISABLE_GUI_SCANTOEMAIL=$DISABLE_GUI_SCANTOEMAIL;"
-		fi
-		if [[ -n "$DISABLE_GUI_SCANTOIMAGE" ]]; then
-			echo "\$DISABLE_GUI_SCANTOIMAGE=$DISABLE_GUI_SCANTOIMAGE;"
-		fi
-		if [[ -n "$DISABLE_GUI_SCANTOOCR" ]]; then
-			echo "\$DISABLE_GUI_SCANTOOCR=$DISABLE_GUI_SCANTOOCR;"
-		fi
+		vars_to_save=(UID GID MODEL WEBSERVER_PING_ENABLE WEBSERVER_LABEL_SCANTOFILE WEBSERVER_LABEL_SCANTOEMAIL WEBSERVER_LABEL_SCANTOIMAGE WEBSERVER_LABEL_SCANTOOCR)
+		for var in "${vars_to_save[@]}"
+		do
+			#escaping quotes
+			echo "\$${var} = \"${!var//\"/\\\"}\";"
+		done
 		echo "?>"
 		
-	} > /var/www/html/config.php
-	chown www-data /var/www/html/config.php
-	if [[ -z ${PORT} ]]; then
-		PORT=80
-	fi
-	echo "running on port $PORT"
-	sed -i "s/server.port\W*= 80/server.port = $PORT/" /etc/lighttpd/lighttpd.conf
+	} > /var/www/html/lib/config.php
+	chown www-data /var/www/html/lib/config.php
+	echo "running on port ${WEBSERVER_PORT:-80}"
+	sed -i "s/server.port\W*= 80/server.port = ${WEBSERVER_PORT:-80}/" /etc/lighttpd/lighttpd.conf
 	/usr/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf
 	echo "webserver started"
 else
@@ -98,8 +123,5 @@ echo "capabilities:"
 scanimage -A
 
 echo "startup successful"
-while true;
-do
-  tail -f /var/log/scanner.log
-done
+tail -f /var/log/scanner.log
 exit 0
diff --git a/script/scanRear.sh b/script/scanRear.sh
index 4533ed6..777f07f 100755
--- a/script/scanRear.sh
+++ b/script/scanRear.sh
@@ -3,7 +3,8 @@
 # $2 = friendly name
 
 #override environment, as brscan is screwing it up:
-export $(grep -v '^#' /opt/brother/scanner/env.txt | xargs)
+#export $(grep -v '^#' /opt/brother/scanner/env.txt | xargs)
+source /opt/brother/scanner/shell_env.txt
 
 if [[ $RESOLUTION ]]; then
   resolution=$RESOLUTION
@@ -32,20 +33,11 @@ rm scan_pid
 #sthg is wrong with device name, probably escaping, use default printer:
 #scan_cmd="scanimage -l 0 -t 0 -x 215 -y 297 --device-name=$device --resolution=$resolution --batch=$output_file"
 scan_cmd="scanimage -l 0 -t 0 -x 215 -y 297 --resolution=$resolution --batch=$output_file"
-
-if [ "`which usleep  2>/dev/null `" != '' ];then
-    usleep 100000
-else
-    sleep  0.1
-fi
+sleep  0.1
 $($scan_cmd)
 if [ ! -s $filename_base"0001.pnm" ];then
-  if [ "`which usleep  2>/dev/null `" != '' ];then
-    usleep 1000000
-  else
-    sleep  1
-  fi
-  $($scan_cmd)
+	sleep  1
+	$($scan_cmd)
 fi
 
 (
@@ -73,7 +65,9 @@ fi
 	
 	(
 		echo "converting to PDF for $date..."
-		gm convert -page A4+0+0 $compression_flag *.pnm /scans/$date.pdf	
+		gm convert -page A4+0+0 $compression_flag *.pnm /scans/$date.pdf
+		#change ownership to target user/group
+		chown $UID:$GID /scans/$date.pdf
 		/opt/brother/scanner/brscan-skey/script/trigger_inotify.sh "${SSH_USER}" "${SSH_PASSWORD}" "${SSH_HOST}" "${SSH_PATH}" $date.pdf
 		
 		echo "cleaning up for $date..."
@@ -85,7 +79,9 @@ fi
 		else
 			echo "starting OCR for $date..."
 			(
-				curl -F "userfile=@/scans/$date.pdf" -H "Expect:" -o /scans/$date-ocr.pdf ${OCR_SERVER}:${OCR_PORT}/${OCR_PATH} 
+				curl -F "userfile=@/scans/$date.pdf" -H "Expect:" -o /scans/$date-ocr.pdf ${OCR_SERVER}:${OCR_PORT}/${OCR_PATH}
+				#change ownership to target user/group
+				chown $UID:$GID /scans/$date-ocr.pdf
 				/opt/brother/scanner/brscan-skey/script/trigger_inotify.sh "${SSH_USER}" "${SSH_PASSWORD}" "${SSH_HOST}" "${SSH_PATH}" $date-ocr.pdf
 
 				/opt/brother/scanner/brscan-skey/script/sendtoftps.sh \
diff --git a/script/scantoemail-0.2.4-1.sh b/script/scantoemail-0.2.4-1.sh
index 360d370..357cbad 100644
--- a/script/scantoemail-0.2.4-1.sh
+++ b/script/scantoemail-0.2.4-1.sh
@@ -4,8 +4,8 @@
 
 {
 #override environment, as brscan is screwing it up:
-export $(grep -v '^#' /opt/brother/scanner/env.txt | xargs)
-
+#export $(grep -v '^#' /opt/brother/scanner/env.txt | xargs)
+source /opt/brother/scanner/shell_env.txt
 SCRIPTPATH="$( cd "$(dirname "$0")" ; pwd -P )"
 /bin/bash $SCRIPTPATH/scanRear.sh $@
 
diff --git a/script/scantofile-0.2.4-1.sh b/script/scantofile-0.2.4-1.sh
index 49994b1..86eb869 100755
--- a/script/scantofile-0.2.4-1.sh
+++ b/script/scantofile-0.2.4-1.sh
@@ -4,7 +4,8 @@
 
 {
 #override environment, as brscan is screwing it up:
-export $(grep -v '^#' /opt/brother/scanner/env.txt | xargs)
+#export $(grep -v '^#' /opt/brother/scanner/env.txt | xargs)
+source /opt/brother/scanner/shell_env.txt
 
 if [[ $RESOLUTION ]]; then
   resolution=$RESOLUTION
@@ -30,33 +31,22 @@ echo "filename: "$output_file
 #sthg is wrong with device name, probably escaping, use default printer:
 #scan_cmd="scanimage -l 0 -t 0 -x 215 -y 297 --device-name=$device --resolution=$resolution --batch=$output_file"
 scan_cmd="scanimage -l 0 -t 0 -x 215 -y 297 --resolution=$resolution --batch=$output_file"
-
-if [ "`which usleep  2>/dev/null `" != '' ];then
-    usleep 100000
-else
-    sleep  0.1
-fi
+sleep  0.1
 $($scan_cmd)
 if [ ! -s $filename_base"0001.pnm" ];then
-  if [ "`which usleep  2>/dev/null `" != '' ];then
-    usleep 1000000
-  else
-    sleep  1
-  fi
+  sleep 1
   $($scan_cmd)
 fi
 
 #only convert when no back pages are being scanned:
 (
-	if [ "`which usleep  2>/dev/null `" != '' ];then
-		usleep 120000000
-	else
-		sleep  120
-	fi
+	sleep  120	
 	
 	(
 		echo "converting to PDF for $date..."
 		gm convert -page A4+0+0 $compression_flag $filename_base*.pnm /scans/$date.pdf
+		#change ownership to target user/group
+		chown $UID:$GID /scans/$date.pdf
 		/opt/brother/scanner/brscan-skey/script/trigger_inotify.sh "${SSH_USER}" "${SSH_PASSWORD}" "${SSH_HOST}" "${SSH_PATH}" $date.pdf
 	
 		echo "cleaning up for $date..."
@@ -69,6 +59,8 @@ fi
 			echo "starting OCR for $date..."
 			(
 				curl -F "userfile=@/scans/$date.pdf" -H "Expect:" -o /scans/$date-ocr.pdf ${OCR_SERVER}:${OCR_PORT}/${OCR_PATH}
+				#change ownership to target user/group
+				chown $UID:$GID /scans/$date-ocr.pdf
 				/opt/brother/scanner/brscan-skey/script/trigger_inotify.sh "${SSH_USER}" "${SSH_PASSWORD}" "${SSH_HOST}" "${SSH_PATH}" $date-ocr.pdf
 				/opt/brother/scanner/brscan-skey/script/sendtoftps.sh \
 				  "${FTP_USER}" \