Skip to content

Release history

Static Web Server releases

Cross-platform, high-performance, and asynchronous web server for static file serving.

Back to tool Latest release

All releases

8 shown

v2.42.0 Bug fix
Notable features
  • Local-time support for logs by default, configurable via POSIX TZ env var
  • Stabilized Prometheus metrics via --metrics option
  • HTTP-level Prometheus metrics endpoint and Grafana dashboard example
Full changelog

This new v2.42.0 brings bug fixes, new features and improvements. Fix a memory increase regression introduced in v2.40.0. Support for HTTP Prometheus metrics, Local-time for logs by default, support for the POSIX TZ environment variable to configure logs's timezone, as well as other minor improvements.

Fixes

  • 0b128b9 Update dependencies and bump up Rust to 1.88.0. PR #641 by @joseluisq
  • 4124999 Regression: Memory increase for Linux Musl statically-linked binaries introduced in v2.40.0. See PR #640 by @joseluisq
  • 8451cf7 --disable-symlinks option does not work properly if a path contains intermediate symlink components. PR #639 by @joseluisq

Features

  • b798f68 Local-time support for logs by default to honor user's system time. It also supports the POSIX TZ environment variable to update the logs's time zone on demand. PR #632 by @joseluisq. See docs.
  • 2d50f88 Stabilize Prometheus metrics feature via --metrics option. PR #635 by @chrissnell. See docs
  • a4213e5 HTTP-level Prometheus metrics for the metrics endpoint. PR #631 by @chrissnell
  • 6ada726 Grafana dashboard example for Prometheus metrics feature. PR #636 by @chrissnell. See example.

Docs

  • 0a8c8ca Metrics feature documentation page. PR #633 by @chrissnell. See docs
  • b6856ea Local-time support for logs. PR #638 by @joseluisq

For more details see the v2.42.0 milestone and the full changelog v2.41.0...v2.42.0.

View release on GitHub
v2.41.0 Breaking risk
Breaking changes
  • --ignore-hidden-files and --disable-symlinks are now enabled by default
Security fixes
  • CVE-2026-27480 — timing-based username enumeration vulnerability patched in Basic Authentication (GHSA-qhp6-635j-x7r2)
Notable features
  • Internal priority support for dynamic compression encodings based on modern algorithms
  • Showcases page in documentation highlighting real-world SWS usage
Full changelog

This new v2.41.0 release includes important bug fixes, new features, and improvements.
The custom headers, installer scripts and hidden file handling are now more reliable. Dynamic compression encodings have been enhanced with internal priority support based on modern compression algorithms. Default options now help protect hidden files and prevent risky symlink usage. The installer and Docker images have been improved and dependencies are updated for better stability. Also, the documentation features a new showcases page to highlight how SWS is being used in the wild.

Security Patch

This particular release patches a timing-based username enumeration vulnerability in Basic Authentication (CVE-2026-27480) due to early response for invalid usernames which could allow attackers to identify valid users.

Users utilizing the SWS' Basic Authentication feature are primarily impacted.

We encourage to update as soon as possible.

Fixes

  • 88422ba Update project dependencies. (#620) by @joseluisq
  • 7bf0fd4 Timing-based username enumeration vulnerability in 'Basic Authentication' feature (CVE-2026-27480). Patch by @naoyashiga
  • bc7b7cd Docker: Update Alpine (3.22.3) and Debian (13.3) Docker images. (#619,#625) by @joseluisq
  • df5fb00 Custom headers are not applied when --redirect-trailing-slash is disabled. (#613) by @joseluisq
  • 1a31f00 Hidden root paths (e.g. .public) are ignored by --ignore-hidden-files feature. (#606) by @mightyiam
  • 9fbafcf Installer script fails when used in Alpine Linux. (#610) by @joseluisq
  • c298a6d CI: Remove pull_request trigger from release-docker-devel workflow. (#608) by @joseluisq

Features

  • 735cc79 Add internal priority support for dynamic compression encodings based on modern compression algorithms. (#622) by @msuarezd. See docs.

Refactorings

  • 08900b3 Separate static pre-compression from dynamic compression features. (#624) by @msuarezd
  • 2839352 breaking: The --ignore-hidden-files and --disable-symlinks options are now enabled by default. (#621) by @joseluisq
  • d76106f Replace unmaintained rustls-pemfile dependency in tls module. (#616) by @joseluisq
  • 865e8e4 Improve SWS installer script functionality for Linux/BSDs. (#611) by @joseluisq
  • be04262 Docker: Prefer gnueabihf binary for Debian linux/arm/v7 Docker image. (#609) by @joseluisq

Docs

  • beacdbc Initial SWS 'showcases' page to highlight how SWS is being used. (#605) by @joseluisq. See docs.

For more details see the v2.41.0 milestone and the full changelog v2.40.1...v2.41.0.

View release on GitHub
v2.40.1 Security relevant
Security fixes
  • GHSA-459f-x8vq-xjjm — fixes Symbolic link path traversal vulnerability
Full changelog

This new patch v2.40.1 release brings important security bug fixes for users serving directories with symbolic links (symlinks) as well as other minor improvements.

Security vulnerability patch

This particular release patches a Symbolic link path traversal vulnerability (https://github.com/advisories/GHSA-459f-x8vq-xjjm)
Any web server that runs with elevated privileges (e.g., root/administrator) and handles user-supplied file uploads is primarily impacted.

We encourage users to update as soon as possible.

Fixes

  • 9b7297c Update dependencies like async-compression, log, libc and others. #599 by @joseluisq
  • 308f0d2 Fix incorrect symbolic link handling by @joseluisq

Refactorings

  • ce3a51c CI: Dedicated workflow for project documentation checks. #596 by @joseluisq
  • dd43d06 Misc: Markdown format check support for project documentation. #597 by @mschoettle

For more details see the v2.40.1 milestone and the full changelog v2.40.0...v2.40.1.

View release on GitHub
v2.40.0 Breaking risk
⚠ Upgrade required
  • For Docker users: if using the default `/public` volume without `--root` or `SERVER_ROOT`, change the mount point to `/var/public` or specify a custom root directory.
Breaking changes
  • Docker volume path default changed from `/public` to `/var/public` for rootless images; users must update their volume mapping or set a custom `SERVER_ROOT`.
Notable features
  • Added `armv7-unknown-linux-gnueabihf` build target
  • Content negotiation for Markdown files via `Accept` header
  • `exit_on_error` option added to `Server::run_server_on_rt`
Full changelog

This new v2.40.0 release introduces important security bug fixes, performance, resource, and binary size optimisations, rootless Debian and Alpine Docker images, support for content negotiation of Markdown files and other enhancements.

For more details about the changes, take a look at the corresponding PR and documentation links.

Fixes

  • 55562a1 Update dependencies like rustls, tracing, async-compression, clap, bytes and others. #582, #589 by @joseluisq
  • 0fedeb3 library: Crate documentation issues. #583 by @joseluisq

Features

  • ee4b049 Add armv7-unknown-linux-gnueabihf target. #586 by @joseluisq
  • 2c25d82 Content negotiation for Markdown files via Accept header. #577 by @davlgd, see docs.
  • 326abbe library: Add exit_on_error option to Server::run_server_on_rt function to control server termination. #578 by @frnsys

Refactorings

  • c66c791 Docker: Prefer dynamically-linked binaries for Debian Docker images, which reduces containers' memory usage significantly. #588 by @joseluisq
  • afddfd6 Drop jemalloc in favour of mimalloc for MUSL targets, which reduces statically-linked binaries' memory usage. #587 by @joseluisq
  • 557363e Replace regex crate with regex-lite to reduce binary size. #581 by @joseluisq
  • b234984 Docker: Rootless Debian and Alpine Docker images, which reduce the attack surface and improve security. #567 by @joseluisq, read the docs.
    • Update for Docker users: Only if you are using the default /public directory as Docker volume without any --root or SERVER_ROOT env, then change it to point to /var/public instead or provide a custom root directory.
  • d48da4c Simplify the default public directory of Docker image and default error pages, which improves the default index and error pages' responsiveness in the browser. #579 by @joseluisq
  • ce5b4fab Drop lazy_static and prefer fixed text mime types for dynamic compression. #580 by @joseluisq
  • ea9f43f CI: Move perfcheck workflow behind a PR comment trigger. #584 by @joseluisq

For more details see the v2.40.0 milestone and the full changelog v2.39.0...v2.40.0.

View release on GitHub
v2.39.0 Breaking risk
⚠ Upgrade required
  • Docker images updated: Alpine 3.21.5 and Debian 12.12
  • Virtual hosts feature currently non‑functional with HTTP/2
Breaking changes
  • Minimum Supported Rust Version (MSRV) increased to Rust 1.85.0
Security fixes
  • CVE-2025-62518 — TARmageddon vulnerability fixed
Full changelog

This new v2.39.0 release brings important security bug fixes, updates to project dependencies and Docker images, as well as other improvements.

This release fixes CVE-2025-62518 (a.k.a TARmageddon).

Additionally, the project Minimum Supported Rust Version (MSRV) has been bumped to Rust 1.85.0 (2024 Edition).

Fixes

  • 57025e3 Update dependencies and MSRV to Rust 1.85.0 (2024 Edition). PR #572 by @joseluisq
  • a7e8fa3 Update Alpine (3.21.5) & Debian (12.12) Docker images. PR #573 by @joseluisq
  • 2549119 Virtual hosts feature doesn't work with HTTP/2. PR #571 by @CrazyCraftix

For more details see the v2.39.0 milestone and the full changelog v2.38.1...v2.39.0.

View release on GitHub
v2.38.1 Breaking risk
Breaking changes
  • Removed `public` from `Cache-Control` header value when Cache Control feature is enabled
Security fixes
  • Dependency updates including tokio, rustls, serde, toml, percent-encoding, tracing, regex for security fixes
Full changelog

This new v2.38.1 release brings several security and bug fixes and improvements for the Cache Control feature.

Fixes

  • c5477fe Bugfix/security dependency updates including tokio, rustls, serde, toml, percent-encoding, tracing, regex and other crates. PR #556, #561 by @joseluisq
  • 2a09238 Update Alpine Docker images to 3.21.4. #563 by @joseluisq

Refactorings

  • 0b55770 Remove public from Cache-Control header value when feature is enabled. This can prevent CDN and Basic Authentication cache issues. PR #562 by @joseluisq

For more details, see the v2.38.1 milestone and the full changelog v2.38.0...v2.38.1.

View release on GitHub
v2.38.0 Security relevant
⚠ Upgrade required
  • `sws.toml` is now the default configuration file name; `config.toml` remains supported for a transition period.
  • Alpine Docker image updated to 3.20.7 and Debian Docker image updated to 12.11.
Security fixes
  • Updated crates tokio, rustls, serde, toml, async-compression, clap and others include security fixes
Notable features
  • Default config file renamed to `sws.toml` (legacy `config.toml` still supported temporarily)
Full changelog

This new v2.38.0 release brings several security and bug fixes and support for a less-generic sws.toml default config file as well as other improvements.

Fixes

  • 8c435ad Bugfix/security dependency updates including tokio, rustls, serde, toml, async-compression, clap and other crates. PR #552 by @joseluisq
  • 47ce050 Update Alpine (3.20.7) & Debian (12.11) Docker images. PR #553 by @joseluisq

Features

  • acd8388 Add a less-generic config file sws.toml support as default. PR #551 by @davlgd.
    • Migration: The previous default config.toml file name will be supported for a while, but it's recommended to use sws.toml instead.

For more details see the v2.38.0 milestone and the full changelog v2.37.0...v2.38.0.

View release on GitHub
v2.37.0 Breaking risk
Breaking changes
  • End of support for unmaintained Windows 7, 8, and 8.1 platforms; minimum supported platform is Windows 10.
  • Minimum Rust version bumped to 1.82.0 for building the server.
Notable features
  • Download a directory as a compressed tarball (`tar.gz`) via `--directory-listing-download=targz` option.
  • Control log ANSI output with new boolean flag `--log-with-ansi=true` (off by default).
Full changelog

This new v2.37.0 release brings several security and bug fixes. New features like the possibility to download directories as tarballs, better control for server log ANSI output, end of support for a few unmaintained Windows platforms and other improvements.

End of support for unmaintained Windows 7, 8, 8.1 platforms

As anticipated in v2.36.1, SWS no longer supports Windows 7, 8, and 8.1 platforms. SWS now requires Rust 1.82.0 or later to build, and the minimum supported Windows platform is Windows 10.

Cargo experimental feature restored

The Cargo experimental feature is part of the binary release again (v2.37.0 and future releases).

Fixes

  • b56e3c4 Bugfix/security dependency updates including tokio, rustls, chrono, flate2, windows-service, serde and other crates. SWS now requires Rust 1.82.0 or later to build. PR #546, #545 by @joseluisq
  • a384d92 Update Alpine 3.20.6 and Debian 12.10 Docker images. PR #539 by @joseluisq
  • cb19995 Generic server log info output even on higher log levels. PR #542 by @joseluisq fixes #541 reported by @Tasssadar.

Features

  • 89f5846 Support for downloading a directory as a compressed tarball (tar.gz) via the new --directory-listing-download=targz option. PR #544 by @ekangmonyet resolves #67 suggested by @shirshak55. See docs.
  • 0236980 Control log ANSI output via new boolean --log-with-ansi=true option (SWS is now no-ANSI by default). PR #543 resolves #540 suggested by @Tasssadar. See docs.

Refactorings

  • Misc: 5d1eaac Automate post-release updates using CI. PR #538 by @joseluisq

For more details see the v2.37.0 milestone and the full changelog v2.36.1...v2.37.0.

Acknowledgments

Thanks to our new donor @mrkesu for supporting the project.

View release on GitHub

Beta — feedback welcome: [email protected]