Releases: static-web-server/static-web-server
Release list
v2.43.0
This new v2.43.0 brings bug fixes, new features and improvements. A fix for unnecessary pre-compressed file lookups, FIPS-capable TLS support via a new Cargo feature and prebuilt binaries, several performance optimizations, hardening across several modules, better byte-range suffix detection and extract normalization coverage, CI workflow updates and other enhancements.
Fixes
- b224b6e Update project dependencies. PR #685 by @joseluisq
- 8421a06 Unnecessary pre-compressed file look up when the uncompressed one doesn't exist. PR #684 by @joseluisq
- 9b9c1a7 Docker: Update Alpine (
3.23.4) & Debian (13.5) Docker images. PR #678 by @joseluisq
Features
- 3ff096c FIPS-capable TLS via new
http2-fipsCargo feature flag usingaws-lc-rsin FIPS mode. PR #645 by @alexander-bauer. See docs, new Docker Images and prebuilt binaries available. - 7ff6cf6 Optional default text charset via
--default-charset. PR #656 by @davlgd. See docs (follow-up PR #657 by @joseluisq).
Refactorings
- a5af389 Hardening and robustness increase for several modules. PR #672 by @joseluisq
- 6514b87 Minimum size threshold for dynamic compression. PR #673 by @joseluisq
- f503ee1 Byte-range suffix detection and extract normalization helpers, which increases case coverage. PR #674 by @joseluisq
- e5103c3 Performance optimizations for several modules. PR #675 by @joseluisq
- aa66137 Improve directory listing performance. PR #676 by @joseluisq
- 2302e46 Improve MIME types for compression and default text charset features (follow-up). PR #657 by @joseluisq
- 216e45b CI: Update devel workflow to compile several targets and FIPS directly via GitHub Actions runners. PR #691 by @joseluisq
- 2ac6c5e CI: Update release workflow to compile several targets and FIPS directly via GitHub Actions runners. PR #693 by @joseluisq
- dc2c7a2 CI: Update release GitHub Actions workflows for FIPS builds (follow-up). PR #689 by @joseluisq
- 6f0d607 CI: Update release GitHub Actions workflows for FIPS builds. PR #688 by @joseluisq
Docs
- f93f80e Add missing FIPS Docker images and binary descriptions. PR #687 by @joseluisq
- 6dc9798 Add missing
.htmlsuffix feature for404errors. PR #686 by @joseluisq
For more details see the v2.43.0 milestone and the full changelog v2.42.0...v2.43.0.
v2.42.0
This new v2.42.0 brings bug fixes, new features and improvements. Fix a memory increase regression introduced in v2.40.0. Support for HTTP Prometheus metrics, Local-time for logs by default, support for the POSIX TZ environment variable to configure logs's timezone, as well as other minor improvements.
Fixes
- 0b128b9 Update dependencies and bump up Rust to 1.88.0. PR #641 by @joseluisq
- 4124999 Regression: Memory increase for Linux Musl statically-linked binaries introduced in
v2.40.0. See PR #640 by @joseluisq - 8451cf7
--disable-symlinksoption does not work properly if a path contains intermediate symlink components. PR #639 by @joseluisq
Features
- b798f68 Local-time support for logs by default to honor user's system time. It also supports the POSIX
TZenvironment variable to update the logs's time zone on demand. PR #632 by @joseluisq. See docs. - 2d50f88 Stabilize Prometheus metrics feature via
--metricsoption. PR #635 by @chrissnell. See docs - a4213e5 HTTP-level Prometheus metrics for the metrics endpoint. PR #631 by @chrissnell
- 6ada726 Grafana dashboard example for Prometheus metrics feature. PR #636 by @chrissnell. See example.
Docs
- 0a8c8ca Metrics feature documentation page. PR #633 by @chrissnell. See docs
- b6856ea Local-time support for logs. PR #638 by @joseluisq
For more details see the v2.42.0 milestone and the full changelog v2.41.0...v2.42.0.
v2.41.0
This new v2.41.0 release includes important bug fixes, new features, and improvements.
The custom headers, installer scripts and hidden file handling are now more reliable. Dynamic compression encodings have been enhanced with internal priority support based on modern compression algorithms. Default options now help protect hidden files and prevent risky symlink usage. The installer and Docker images have been improved and dependencies are updated for better stability. Also, the documentation features a new showcases page to highlight how SWS is being used in the wild.
Security Patch
This particular release patches a timing-based username enumeration vulnerability in Basic Authentication (CVE-2026-27480) due to early response for invalid usernames which could allow attackers to identify valid users.
Users utilizing the SWS' Basic Authentication feature are primarily impacted.
We encourage to update as soon as possible.
Fixes
- 88422ba Update project dependencies. (#620) by @joseluisq
- 7bf0fd4 Timing-based username enumeration vulnerability in 'Basic Authentication' feature (CVE-2026-27480). Patch by @naoyashiga
- bc7b7cd Docker: Update Alpine (3.22.3) and Debian (13.3) Docker images. (#619,#625) by @joseluisq
- df5fb00 Custom headers are not applied when
--redirect-trailing-slashis disabled. (#613) by @joseluisq - 1a31f00 Hidden root paths (e.g. .public) are ignored by
--ignore-hidden-filesfeature. (#606) by @mightyiam - 9fbafcf Installer script fails when used in Alpine Linux. (#610) by @joseluisq
- c298a6d CI: Remove
pull_requesttrigger fromrelease-docker-develworkflow. (#608) by @joseluisq
Features
- 735cc79 Add internal priority support for dynamic compression encodings based on modern compression algorithms. (#622) by @msuarezd. See docs.
Refactorings
- 08900b3 Separate static pre-compression from dynamic compression features. (#624) by @msuarezd
- 2839352 breaking: The
--ignore-hidden-filesand--disable-symlinksoptions are now enabled by default. (#621) by @joseluisq - d76106f Replace unmaintained
rustls-pemfiledependency in tls module. (#616) by @joseluisq - 865e8e4 Improve SWS installer script functionality for Linux/BSDs. (#611) by @joseluisq
- be04262 Docker: Prefer
gnueabihfbinary for Debianlinux/arm/v7Docker image. (#609) by @joseluisq
Docs
- beacdbc Initial SWS 'showcases' page to highlight how SWS is being used. (#605) by @joseluisq. See docs.
For more details see the v2.41.0 milestone and the full changelog v2.40.1...v2.41.0.
v2.40.1
This new patch v2.40.1 release brings important security bug fixes for users serving directories with symbolic links (symlinks) as well as other minor improvements.
Security vulnerability patch
This particular release patches a Symbolic link path traversal vulnerability (GHSA-459f-x8vq-xjjm)
Any web server that runs with elevated privileges (e.g., root/administrator) and handles user-supplied file uploads is primarily impacted.
We encourage users to update as soon as possible.
Fixes
- 9b7297c Update dependencies like async-compression, log, libc and others. #599 by @joseluisq
- 308f0d2 Fix incorrect symbolic link handling by @joseluisq
Refactorings
- ce3a51c CI: Dedicated workflow for project documentation checks. #596 by @joseluisq
- dd43d06 Misc: Markdown format check support for project documentation. #597 by @mschoettle
For more details see the v2.40.1 milestone and the full changelog v2.40.0...v2.40.1.
v2.40.0
This new v2.40.0 release introduces important security bug fixes, performance, resource, and binary size optimisations, rootless Debian and Alpine Docker images, support for content negotiation of Markdown files and other enhancements.
For more details about the changes, take a look at the corresponding PR and documentation links.
Fixes
- 55562a1 Update dependencies like rustls, tracing, async-compression, clap, bytes and others. #582, #589 by @joseluisq
- 0fedeb3 library: Crate documentation issues. #583 by @joseluisq
Features
- ee4b049 Add
armv7-unknown-linux-gnueabihftarget. #586 by @joseluisq - 2c25d82 Content negotiation for Markdown files via
Acceptheader. #577 by @davlgd, see docs. - 326abbe library: Add
exit_on_erroroption toServer::run_server_on_rtfunction to control server termination. #578 by @frnsys
Refactorings
- c66c791 Docker: Prefer dynamically-linked binaries for Debian Docker images, which reduces containers' memory usage significantly. #588 by @joseluisq
- afddfd6 Drop
jemallocin favour ofmimallocfor MUSL targets, which reduces statically-linked binaries' memory usage. #587 by @joseluisq - 557363e Replace
regexcrate withregex-liteto reduce binary size. #581 by @joseluisq - b234984 Docker: Rootless Debian and Alpine Docker images, which reduce the attack surface and improve security. #567 by @joseluisq, read the docs.
- Update for Docker users: Only if you are using the default
/publicdirectory as Docker volume without any--rootorSERVER_ROOTenv, then change it to point to/var/publicinstead or provide a custom root directory.
- Update for Docker users: Only if you are using the default
- d48da4c Simplify the default public directory of Docker image and default error pages, which improves the default index and error pages' responsiveness in the browser. #579 by @joseluisq
- ce5b4fa Drop
lazy_staticand prefer fixed text mime types for dynamic compression. #580 by @joseluisq - ea9f43f CI: Move perfcheck workflow behind a PR comment trigger. #584 by @joseluisq
For more details see the v2.40.0 milestone and the full changelog v2.39.0...v2.40.0.
v2.39.0
This new v2.39.0 release brings important security bug fixes, updates to project dependencies and Docker images, as well as other improvements.
This release fixes CVE-2025-62518 (a.k.a TARmageddon).
Additionally, the project Minimum Supported Rust Version (MSRV) has been bumped to Rust 1.85.0 (2024 Edition).
Fixes
- 57025e3 Update dependencies and MSRV to Rust 1.85.0 (2024 Edition). PR #572 by @joseluisq
- a7e8fa3 Update Alpine (
3.21.5) & Debian (12.12) Docker images. PR #573 by @joseluisq - 2549119 Virtual hosts feature doesn't work with HTTP/2. PR #571 by @CrazyCraftix
For more details see the v2.39.0 milestone and the full changelog v2.38.1...v2.39.0.
v2.38.1
This new v2.38.1 release brings several security and bug fixes and improvements for the Cache Control feature.
Fixes
- c5477fe Bugfix/security dependency updates including tokio, rustls, serde, toml, percent-encoding, tracing, regex and other crates. PR #556, #561 by @joseluisq
- 2a09238 Update Alpine Docker images to
3.21.4. #563 by @joseluisq
Refactorings
- 0b55770 Remove
publicfromCache-Controlheader value when feature is enabled. This can prevent CDN and Basic Authentication cache issues. PR #562 by @joseluisq
For more details, see the v2.38.1 milestone and the full changelog v2.38.0...v2.38.1.
v2.38.0
This new v2.38.0 release brings several security and bug fixes and support for a less-generic sws.toml default config file as well as other improvements.
Fixes
- 8c435ad Bugfix/security dependency updates including tokio, rustls, serde, toml, async-compression, clap and other crates. PR #552 by @joseluisq
- 47ce050 Update Alpine (
3.20.7) & Debian (12.11) Docker images. PR #553 by @joseluisq
Features
- acd8388 Add a less-generic config file
sws.tomlsupport as default. PR #551 by @davlgd.- Migration: The previous default
config.tomlfile name will be supported for a while, but it's recommended to usesws.tomlinstead.
- Migration: The previous default
For more details see the v2.38.0 milestone and the full changelog v2.37.0...v2.38.0.
v2.37.0
This new v2.37.0 release brings several security and bug fixes. New features like the possibility to download directories as tarballs, better control for server log ANSI output, end of support for a few unmaintained Windows platforms and other improvements.
End of support for unmaintained Windows 7, 8, 8.1 platforms
As anticipated in v2.36.1, SWS no longer supports Windows 7, 8, and 8.1 platforms. SWS now requires Rust 1.82.0 or later to build, and the minimum supported Windows platform is Windows 10.
Cargo experimental feature restored
The Cargo experimental feature is part of the binary release again (v2.37.0 and future releases).
Fixes
- b56e3c4 Bugfix/security dependency updates including tokio, rustls, chrono, flate2, windows-service, serde and other crates. SWS now requires Rust
1.82.0or later to build. PR #546, #545 by @joseluisq - a384d92 Update Alpine
3.20.6and Debian12.10Docker images. PR #539 by @joseluisq - cb19995 Generic server log info output even on higher log levels. PR #542 by @joseluisq fixes #541 reported by @Tasssadar.
Features
- 89f5846 Support for downloading a directory as a compressed tarball (
tar.gz) via the new--directory-listing-download=targzoption. PR #544 by @ekangmonyet resolves #67 suggested by @shirshak55. See docs. - 0236980 Control log ANSI output via new boolean
--log-with-ansi=trueoption (SWS is now no-ANSI by default). PR #543 resolves #540 suggested by @Tasssadar. See docs.
Refactorings
- Misc: 5d1eaac Automate post-release updates using CI. PR #538 by @joseluisq
For more details see the v2.37.0 milestone and the full changelog v2.36.1...v2.37.0.
Acknowledgments
Thanks to our new donor @mrkesu for supporting the project.
v2.36.1
This new v2.36.1 release brings several security and bug fixes and is the last version supporting legacy Windows 7, 8, 8.1 platforms.
Security patch for RUSTSEC-2024-0437
This release temporarily removes the experimental Cargo feature from the resulting static-web-server binary (but not the Cargo feature itself) to prevent shipping the security vulnerability (RUSTSEC-2024-0437 #530) in this release.
The experimental Cargo feature (that includes experimental features like metrics and in-memory cache) will be restored to be part of the binary again in the next release.
End support for unmaintained Windows 7, 8, 8.1 platforms
As we mentioned a year ago (#447), SWS would not continue supporting legacy Windows 7, 8, and 8.1 platforms for so long as Microsoft stopped support for Windows 7 in 2020 and Rust requires Windows 10 as the minimum supported platform since 1.78.
Today, we announce that v2.36.1 is the last release supporting such legacy platforms and having Rust 1.76.0 as MSRV.
Future releases will bump up the MSRV when convenient and will require Windows 10 as the minimum supported platform.
However, although we will try to provide a patch for users wanting to build SWS manually for those legacy platforms in the future, we cannot fully guarantee that SWS will continue building for the aforementioned platforms.
Fixes
- ad4c171 Bugfix/security dependency updates including tokio, httparse, ring, rustls, bytes, serde and other crates. PR #532.
- 5fbd0c5 CORS: Add missing
Originto theVaryheader value when CORS feature is enabled. PR #534 resolves #533 reported by @rbozan.
For more details see the v2.36.1 milestone and the full changelog v2.36.0...v2.36.1.