Caddy | v2.11.3

Caddy v2.11.3 released on 12-05-2026


Caddy v2.11.3 is out now. Operators and administrators benefit from security and admin hardening that prevents non‑PHP files from being executed and closes several remote admin socket auth bypasses.

See the full changelog on GitHub for details and the complete list of fixes and improvements: https://github.com/caddyserver/caddy/compare/v2.11.2…v2.11.3

What’s in this release

  • Security and admin hardening: fastcgi patch to prevent execution of non‑PHP files, a more complete vars GHSA fix, and multiple admin fixes that close remote admin socket auth bypasses.
  • TLS, ACME and transport improvements: avoid ACME fallback for implicit Tailscale policies, add ALPN to managed HTTPS records, propagate ECH keys to the QUIC listener and prefer port 443 when auto‑HTTPS selects a default.
  • Request handling and observability: sync placeholder behaviour, avoid inappropriate placeholder expansion, configurable reverseproxy stream copy buffer size, journald and OTLP metric improvements, and redaction of sensitive request headers in API logs.

Upgrade notes

  • No breaking changes are called out in the release notes; review the full changelog on GitHub before upgrading.
  • If you need to roll back, the previous tag in the changelog comparison is v2.11.2; follow your usual rollback procedure.

Please share comments on your upgrade experience or any issues you spot after updating.

Related posts

Weekly Tech Digest | 06 Jul 2026

Stay updated with the latest in tech! This digest covers AI ethics, auto industry shifts, and the impact of politics on technology, exploring today's pressing issues.

wolfCOSE zero-allocation parsing in embedded C

wolfCOSE looks sensible only if you care about what your firmware actually has to carry. I like that, because on small targets the wrong crypto feature can cost more than the message itself, and there...

restic | v0.19.1

restic v0 19 1: safer FUSE mounts and mountpoint checks, robust backup source and exclude handling, clearer CLI JSON output, Windows SFTP deletion fixes