Static Web Server

This new v2.42.0 brings bug fixes, new features and improvements. Fix a memory increase regression introduced in v2.40.0. Support for HTTP Prometheus metrics, Local-time for logs by default, support for the POSIX TZ environment variable to configure logs's timezone, as well as other minor improvements.

Fixes

• 0b128b9 Update dependencies and bump up Rust to 1.88.0. PR #641 by @joseluisq
• 4124999 Regression: Memory increase for Linux Musl statically-linked binaries introduced in v2.40.0. See PR #640 by @joseluisq
• 8451cf7 --disable-symlinks option does not work properly if a path contains intermediate symlink components. PR #639 by @joseluisq

Features

• b798f68 Local-time support for logs by default to honor user's system time. It also supports the POSIX TZ environment variable to update the logs's time zone on demand. PR #632 by @joseluisq. See docs.
• 2d50f88 Stabilize Prometheus metrics feature via --metrics option. PR #635 by @chrissnell. See docs
• a4213e5 HTTP-level Prometheus metrics for the metrics endpoint. PR #631 by @chrissnell
• 6ada726 Grafana dashboard example for Prometheus metrics feature. PR #636 by @chrissnell. See example.

Docs

• 0a8c8ca Metrics feature documentation page. PR #633 by @chrissnell. See docs
• b6856ea Local-time support for logs. PR #638 by @joseluisq

For more details see the v2.42.0 milestone and the full changelog v2.41.0...v2.42.0.

This new v2.41.0 release includes important bug fixes, new features, and improvements.
The custom headers, installer scripts and hidden file handling are now more reliable. Dynamic compression encodings have been enhanced with internal priority support based on modern compression algorithms. Default options now help protect hidden files and prevent risky symlink usage. The installer and Docker images have been improved and dependencies are updated for better stability. Also, the documentation features a new showcases page to highlight how SWS is being used in the wild.

Security Patch

This particular release patches a timing-based username enumeration vulnerability in Basic Authentication (CVE-2026-27480) due to early response for invalid usernames which could allow attackers to identify valid users.

Users utilizing the SWS' Basic Authentication feature are primarily impacted.

We encourage to update as soon as possible.

Fixes

• 88422ba Update project dependencies. (#620) by @joseluisq
• 7bf0fd4 Timing-based username enumeration vulnerability in 'Basic Authentication' feature (CVE-2026-27480). Patch by @naoyashiga
• bc7b7cd Docker: Update Alpine (3.22.3) and Debian (13.3) Docker images. (#619,#625) by @joseluisq
• df5fb00 Custom headers are not applied when --redirect-trailing-slash is disabled. (#613) by @joseluisq
• 1a31f00 Hidden root paths (e.g. .public) are ignored by --ignore-hidden-files feature. (#606) by @mightyiam
• 9fbafcf Installer script fails when used in Alpine Linux. (#610) by @joseluisq
• c298a6d CI: Remove pull_request trigger from release-docker-devel workflow. (#608) by @joseluisq

Features

• 735cc79 Add internal priority support for dynamic compression encodings based on modern compression algorithms. (#622) by @msuarezd. See docs.

Refactorings

• 08900b3 Separate static pre-compression from dynamic compression features. (#624) by @msuarezd
• 2839352 breaking: The --ignore-hidden-files and --disable-symlinks options are now enabled by default. (#621) by @joseluisq
• d76106f Replace unmaintained rustls-pemfile dependency in tls module. (#616) by @joseluisq
• 865e8e4 Improve SWS installer script functionality for Linux/BSDs. (#611) by @joseluisq
• be04262 Docker: Prefer gnueabihf binary for Debian linux/arm/v7 Docker image. (#609) by @joseluisq

Docs

• beacdbc Initial SWS 'showcases' page to highlight how SWS is being used. (#605) by @joseluisq. See docs.

For more details see the v2.41.0 milestone and the full changelog v2.40.1...v2.41.0.

This new patch v2.40.1 release brings important security bug fixes for users serving directories with symbolic links (symlinks) as well as other minor improvements.

Security vulnerability patch

This particular release patches a Symbolic link path traversal vulnerability (https://github.com/advisories/GHSA-459f-x8vq-xjjm)
Any web server that runs with elevated privileges (e.g., root/administrator) and handles user-supplied file uploads is primarily impacted.

We encourage users to update as soon as possible.

Fixes

• 9b7297c Update dependencies like async-compression, log, libc and others. #599 by @joseluisq
• 308f0d2 Fix incorrect symbolic link handling by @joseluisq

Refactorings

• ce3a51c CI: Dedicated workflow for project documentation checks. #596 by @joseluisq
• dd43d06 Misc: Markdown format check support for project documentation. #597 by @mschoettle

For more details see the v2.40.1 milestone and the full changelog v2.40.0...v2.40.1.

This new v2.40.0 release introduces important security bug fixes, performance, resource, and binary size optimisations, rootless Debian and Alpine Docker images, support for content negotiation of Markdown files and other enhancements.

For more details about the changes, take a look at the corresponding PR and documentation links.

Fixes

• 55562a1 Update dependencies like rustls, tracing, async-compression, clap, bytes and others. #582, #589 by @joseluisq
• 0fedeb3 library: Crate documentation issues. #583 by @joseluisq

Features

• ee4b049 Add armv7-unknown-linux-gnueabihf target. #586 by @joseluisq
• 2c25d82 Content negotiation for Markdown files via Accept header. #577 by @davlgd, see docs.
• 326abbe library: Add exit_on_error option to Server::run_server_on_rt function to control server termination. #578 by @frnsys

Refactorings

• c66c791 Docker: Prefer dynamically-linked binaries for Debian Docker images, which reduces containers' memory usage significantly. #588 by @joseluisq
• afddfd6 Drop jemalloc in favour of mimalloc for MUSL targets, which reduces statically-linked binaries' memory usage. #587 by @joseluisq
• 557363e Replace regex crate with regex-lite to reduce binary size. #581 by @joseluisq
• b234984 Docker: Rootless Debian and Alpine Docker images, which reduce the attack surface and improve security. #567 by @joseluisq, read the docs.
  • Update for Docker users: Only if you are using the default /public directory as Docker volume without any --root or SERVER_ROOT env, then change it to point to /var/public instead or provide a custom root directory.
• d48da4c Simplify the default public directory of Docker image and default error pages, which improves the default index and error pages' responsiveness in the browser. #579 by @joseluisq
• ce5b4fab Drop lazy_static and prefer fixed text mime types for dynamic compression. #580 by @joseluisq
• ea9f43f CI: Move perfcheck workflow behind a PR comment trigger. #584 by @joseluisq

For more details see the v2.40.0 milestone and the full changelog v2.39.0...v2.40.0.

This new v2.39.0 release brings important security bug fixes, updates to project dependencies and Docker images, as well as other improvements.

This release fixes CVE-2025-62518 (a.k.a TARmageddon).

Additionally, the project Minimum Supported Rust Version (MSRV) has been bumped to Rust 1.85.0 (2024 Edition).

Fixes

• 57025e3 Update dependencies and MSRV to Rust 1.85.0 (2024 Edition). PR #572 by @joseluisq
• a7e8fa3 Update Alpine (3.21.5) & Debian (12.12) Docker images. PR #573 by @joseluisq
• 2549119 Virtual hosts feature doesn't work with HTTP/2. PR #571 by @CrazyCraftix

For more details see the v2.39.0 milestone and the full changelog v2.38.1...v2.39.0.