Caddy | v2.11.3

Caddy v2.11.3 released on 12-05-2026


Caddy v2.11.3 is out now. Operators and site administrators benefit from multiple security hardenings and reliability improvements across FastCGI, the admin API, TLS/ACME and QUIC.

See the release notes and download links on the project GitHub for full details and upgrade instructions: https://github.com/caddyserver/caddy/compare/v2.11.2…v2.11.3

What’s in this release

  • Security fixes: FastCGI patch (ported from FrankenPHP) that prevented non‑PHP files being executed, a more complete vars fix for the GHSA advisory, and several admin hardenings to stop remote admin socket auth bypasses.
  • TLS/ACME and QUIC refinements: implicit Tailscale *.ts.net policies no longer fall back to ACME, expanded ACME credential/issuer inheritance and ALPN for managed HTTPS records, plus ECH key propagation and upstream quic‑go/CertMagic fixes.
  • Reverse proxy and reliability tweaks: fixes for redundant Host header handling, configurable stream copy buffer size, new lb_retry_match condition and the ability to clear dynamic upstreams cache during retries, plus assorted rewrite and query fixes.

Upgrade notes

  • No breaking changes are reported for v2.11.3; upgrade is recommended to close the security vectors. Follow the upgrade guidance and see the full changelog on GitHub: https://github.com/caddyserver/caddy/compare/v2.11.2…v2.11.3
  • If you must roll back, reinstall the previous tag (v2.11.2) — the compare/changelog above shows the changes between the two releases to help diagnosis.

Let us know how the upgrade goes or report any issues on the project’s GitHub — feedback on compatibility and observability changes is especially useful.

Related posts

Weekly Tech Digest | 06 Jul 2026

Stay updated with the latest in tech! This digest covers AI ethics, auto industry shifts, and the impact of politics on technology, exploring today's pressing issues.

wolfCOSE zero-allocation parsing in embedded C

wolfCOSE looks sensible only if you care about what your firmware actually has to carry. I like that, because on small targets the wrong crypto feature can cost more than the message itself, and there...

restic | v0.19.1

restic v0 19 1: safer FUSE mounts and mountpoint checks, robust backup source and exclude handling, clearer CLI JSON output, Windows SFTP deletion fixes