Caddy v2.11.4 released on 03-06-2026

Caddy v2.11.4 is out now. Operators and administrators get security patches and stability fixes across TLS, reverse proxy and HTTP handling that reduce races and harden request processing.
See the full changelog and download links on the project GitHub: https://github.com/caddyserver/caddy/compare/v2.11.3…v2.11.4
What’s in this release
- Security and collision fixes: normalize Windows backslashes in the path matcher, ignore header fields with underscores, improve templates’ stripHTML action, and apply a community GHSA patch.
- TLS and client-auth stability: fix client-auth, address TLS state races and ECH rotation retry behaviour, and improve IDN SNI matching (skip idna.ToASCII for pure ASCII SNI values).
- Reverse proxy and request-body robustness: wrap request bodies to prevent premature closes, avoid closing bodies on dial errors, and add a regression test for DialInfo network override.
Upgrade notes
- No breaking changes are noted; Caddyfile implicit TLS issuer semantics are preserved — test TLS and proxy configurations in a staging environment before rolling to production.
- If you need to revert, the previous release is v2.11.3 (see the compare link in the changelog).
Share your experience after upgrading — report any issues on the project’s GitHub or leave a note in the comments about how the update performed in your environment.


