⚠️ CRITICAL SECURITY NOTICE (February 2026)
6 CVEs fixed in Caddy v2.11.1. All users should upgrade immediately.
- CVE-2026-27590: FastCGI RCE (Critical)
- CVE-2026-27589: CSRF bypass (High)
- CVE-2026-27588: Host matcher bypass (High)
- CVE-2026-27587: Path matcher bypass (High)
- CVE-2026-27586: TLS auth fail-open (High)
- CVE-2026-27585: Glob sanitization bypass (High)
| Aspect | Status | Notes |
|---|---|---|
| Project Maintenance | ✅ Active | Regular releases |
| Security Response | ✅ Responsive | 6 CVEs patched in v2.11.1 |
| Recent Releases | ✅ 2.11.1 (Feb 2026) | Critical security update |
| Known CVEs | ⚠️ 6 fixed | All patched in v2.11.1 |
| Package Availability | ✅ Available | Cloudsmith, COPR, Docker |
# Debian/Ubuntu
sudo apt update && sudo apt install caddy
# RHEL/CentOS/Fedora
sudo dnf update caddy
# Docker
docker pull caddy:2.11.1
caddy version
# Should show: v2.11.1
# Disable admin API in production
{
admin off
}
# Or bind to localhost only
{
admin localhost:2019
}
example.com {
# Modern TLS settings (default in Caddy)
tls {
protocols tls1.2 tls1.3
# Post-quantum key exchange (v2.10+)
curves x25519mlkem768
}
}
example.com {
header {
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
X-Content-Type-Options nosniff
X-Frame-Options DENY
Referrer-Policy strict-origin-when-cross-origin
X-XSS-Protection "1; mode=block"
Content-Security-Policy "default-src 'self'"
}
}
Available in v2.10+:
example.com {
tls {
ech
}
}
example.com {
tls {
curves x25519mlkem768
}
}
example.com {
@ratelimit {
expression {remote_host}.requests > 100
}
respond @ratelimit "Rate limit exceeded" 429
}
# Caddyfile
sudo chown root:caddy /etc/caddy/Caddyfile
sudo chmod 640 /etc/caddy/Caddyfile
# Data directory (certificates)
sudo chown caddy:caddy /var/lib/caddy
sudo chmod 700 /var/lib/caddy
# Log directory
sudo chown caddy:caddy /var/log/caddy
sudo chmod 755 /var/log/caddy
# /etc/systemd/system/caddy.service.d/hardening.conf
[Service]
# Filesystem protection
ProtectSystem=strict
ProtectHome=read-only
PrivateTmp=true
ReadWritePaths=/var/lib/caddy /var/log/caddy
# Network restrictions
RestrictAddressFamilies=AF_INET AF_INET6
# Capability restrictions
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=
# System call filtering
SystemCallArchitectures=native
SystemCallFilter=@system-service
# Memory protection
PrivateDevices=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
# Restrict privileges
NoNewPrivileges=true
RestrictSUIDSGID=true
# Resource limits
LimitNOFILE=65535
example.com {
@blocked {
remote_ip 192.168.1.0/24
}
respond @blocked "Access denied" 403
}
example.com {
request_body {
max_size 10MB
}
}
example.com {
@admin {
path /admin/*
remote_ip 10.0.0.0/8
}
respond @admin 403
}
example.com {
log {
output file /var/log/caddy/access.log
format json
level INFO
}
}
# Check certificate status
ls -la /var/lib/caddy/certificates/
# Monitor for renewal errors
tail -f /var/log/caddy/caddy.log | grep -i "renewal\|error"
Monitor for:
See Caddy Hardening for server-specific hardening details.