caddy
Reverse Proxies & Load BalancersA powerful web server platform that automatically provisions HTTPS and supports HTTP/2 & HTTP/3 out of the box
Features
- Automatic HTTPS with built‑in Let's Encrypt and ZeroSSL support
- Dynamic configuration via JSON API
- Supports HTTP/1.1, HTTP/2, and HTTP/3 natively
- Highly extensible modular architecture
Recent releases
View all 4 releases →
v2.11.2
Security relevant
Security fixes
- forward_auth identity injection and privilege escalation vulnerability fixed
- vars_regexp placeholder double-expansion vulnerability allowing secret revelation fixed
Notable features
- New tls_resolvers global option to control DNS resolvers for ACME DNS challenge
- Log rolling now supports zstd compression
- Dynamic upstreams now tracked for passive health checking
v2.11.1
Security relevant
Security fixes
- CVE-2026-27590 - FastCGI: Unicode case-folding length expansion causes incorrect SCRIPT_NAME/PATH_INFO split
- CVE-2026-27589 - Admin API: no-cors mode cross-origin requests could bypass security
- CVE-2026-27588 - Host matcher becomes case-sensitive for lists >100 items
Notable features
- Encrypted ClientHello (ECH) keys now rotate automatically
- SIGUSR1 can reload configuration from command line
- Reverse proxy automatically rewrites Host header to upstream HTTPS address
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
