Caddy v2.11.4 released on 03-06-2026

Caddy v2.11.4 is out now. It fixes multiple security and stability issues across TLS, reverse proxy and HTTP behaviour, and includes a GHSA patch.
Head to the project’s GitHub for the full changelog, downloads and the accompanying security advisory.
What’s in this release
- Security and responsible-disclosure fixes: normalize Windows backslashes in the path matcher; prevent placeholder re‑expansion in injected queries; improve templates’ stripHTML for malformed HTML; ignore header fields with underscores; GHSA patch included.
- TLS, client-auth, ECH and SNI stability improvements: client auth bugfix (fix #7724), TLS state race fixes, ECH rotation retry improvements, match IDN SNI in connection policies and skip idna.ToASCII for pure-ASCII SNI values.
- Reverse proxy and request-body robustness plus HTTP/tooling fixes: prevent request-body closures on dial errors and wrap bodies so they aren’t closed if unread; omit Last-Modified when mod times are unusable; prioritise zstd/br over gzip; support starting on IPv6-only hosts and other quality-of-life fixes.
Upgrade notes
- No breaking changes are reported; review the GHSA patch and the full changelog on GitHub before upgrading for any environment-specific considerations.
- Rollback: if you need to revert, the previous release is v2.11.3 (see the full changelog compare v2.11.3…v2.11.4).
Share comments on your experience with the update on the project’s issue tracker or community channels.


