Caddy | v2.11.4

Caddy v2.11.4 released on 03-06-2026


Caddy v2.11.4 is out now. It fixes multiple security and stability issues across TLS, reverse proxy and HTTP behaviour, and includes a GHSA patch.

Head to the project’s GitHub for the full changelog, downloads and the accompanying security advisory.

What’s in this release

  • Security and responsible-disclosure fixes: normalize Windows backslashes in the path matcher; prevent placeholder re‑expansion in injected queries; improve templates’ stripHTML for malformed HTML; ignore header fields with underscores; GHSA patch included.
  • TLS, client-auth, ECH and SNI stability improvements: client auth bugfix (fix #7724), TLS state race fixes, ECH rotation retry improvements, match IDN SNI in connection policies and skip idna.ToASCII for pure-ASCII SNI values.
  • Reverse proxy and request-body robustness plus HTTP/tooling fixes: prevent request-body closures on dial errors and wrap bodies so they aren’t closed if unread; omit Last-Modified when mod times are unusable; prioritise zstd/br over gzip; support starting on IPv6-only hosts and other quality-of-life fixes.

Upgrade notes

  • No breaking changes are reported; review the GHSA patch and the full changelog on GitHub before upgrading for any environment-specific considerations.
  • Rollback: if you need to revert, the previous release is v2.11.3 (see the full changelog compare v2.11.3…v2.11.4).

Share comments on your experience with the update on the project’s issue tracker or community channels.

Related posts

Weekly Tech Digest | 06 Jul 2026

Stay updated with the latest in tech! This digest covers AI ethics, auto industry shifts, and the impact of politics on technology, exploring today's pressing issues.

wolfCOSE zero-allocation parsing in embedded C

wolfCOSE looks sensible only if you care about what your firmware actually has to carry. I like that, because on small targets the wrong crypto feature can cost more than the message itself, and there...

restic | v0.19.1

restic v0 19 1: safer FUSE mounts and mountpoint checks, robust backup source and exclude handling, clearer CLI JSON output, Windows SFTP deletion fixes