Skip to content

LiteSpeed Web Server changelog v6.3

This is an archive for LSWS v6.3. For the most recent releases, visit the main Changelog.

Version 6.3.4

Build 11

Released: February 25, 2026

  • [Bug Fix] Address two configuration handling issues introduced in build 10.
  • [Bug Fix] Address a SecRemoteRules processing issue causing skipped rules.
  • [Bug Fix] Address FreeBSD 15 + zfs posix_fallocate() error handling.

Build 10

Released: January 19, 2026

  • [Improvement] Add 'LS_EXTAPP_ENV' support for Node.js/Python/Ruby applications.

Build 9

Released: January 7, 2026

  • [Bug Fix] Address a blocking issue caused by CAPTCHA throttling.
  • [Bug Fix] Address an HTTP/2 header handling corner case.
  • [Tuning] Server PUSH tracking cookie is now off by default.

Build 8

Released: November 21, 2025

  • [Bug Fix] Address a PROXY protocol client address update issue for HTTP requests.
  • [Bug Fix] Address an HTTP/2 hpack decoding corner case.
  • [Bug Fix] Address a mod_security corner case.
  • [Bug Fix] Address a python application 404 error corner case.

Build 7

Released: November 4, 2025

  • [Bug Fix] Address a SHM corruption corner case.
  • [Bug Fix] Skip CAPTCHA for Google merchant center crawler google-xrawler.
  • [Bug Fix] Address some minor issues with the installer script.
  • [Bug Fix] Address incorrect CPU affinity mask for external worker processes under a LXC container.
  • [Tuning] Increase VHost level limit of number of access log files from 4 to 8.
  • [Tuning] Increase cache object max size limit from 10M to 100M.

Build 6

Released: September 22, 2025

  • [Bug Fix] Avoid RBL lookup using stale cache for cPGuard reCAPTCHA service.
  • [Bug Fix] Address a broken chained rule for ModSecurity triggered CAPTCHA.
  • [Bug Fix] Address a crash due to a gQUIC corner case in lsquic.
  • [Bug Fix] Address a SHM hash LRU corner case.
  • [Tuning] Skip some local domains for domain limited licenses.

Build 5

Released: September 12, 2025

  • [Bug Fix] Address a ModSecurity triggered CAPTCHA corner case.
  • [Bug Fix] Address a crash caused by internal direct over HTTP/2 connection.
  • [Bug Fix] Make "Require local" configuration work properly.
  • [Bug Fix] Fix a ModSecurity regression for @InspectFile operator.

Build 4

Released: September 4, 2025

  • [Improvement] Add Apache configuration directive "DisableHtaccessBlockbot" to disable blockbot feature in .htaccess.
  • [Bug Fix] Update "REDIRECT_STATUS" environment variable fix to cover more cases.

Build 3

Released: August 26, 2025

  • [Bug Fix] Address an Apache SSL configuration problem with SSLCertificateChainFile directive.
  • [Bug Fix] Address an Apache namespace virtual host level configuration override problem.
  • [Bug Fix] Address namespace failures due to missing non-essential files.

Build 2

Released: August 19, 2025

  • [Bug Fix] Address an Apache application context configuration regression introduced in 6.3.4 build 0.
  • [Improvement] Bug fixes and improvements to namespace support.
  • [Tuning] Better Googlebot User-Agent detection for different services.

Build 1

Released: August 5, 2025

  • [Bug Fix] Address a SHM initialization regression introduced in 6.3.4 build 0.

Build 0

Released: August 1, 2025

  • [Security] Fix a memory leak in HTTP/3 protocol.
  • [Improvement] Adjust HTTP/2 stream reset attack detection to reduce false positives.
  • [Improvement] Reduce cache storage consumption by avoiding caching responses to crawlers.
  • [Improvement] Add IPv6 support for internal HTTP fetch.
  • [Bug Fix] Address issues with DirectAdmin RoundCube email access.
  • [Bug Fix] Address failure to stop Node.js application issue.
  • [Bug Fix] Address inconsistent "REDIRECT_STATUS" environment variable issue.
  • [Bug Fix] Fix Node.js/python applications skipping ModSecurity scanning issue.
  • [Bug Fix] Fix broken SecDefActions configuration.
  • [Bug Fix] Fix minor namespace configuration issue.

Version 6.3.3

Build 4

Released: July 29, 2025

  • [Bug Fix] Address a python application configuration regression introduced in build 3.

Build 3

Released: July 25, 2025

  • [Security] Fix a memory leak in HTTP/3 protocol.
  • [Bug Fix] Fix Node.js/python applications skipping ModSecurity scanning issue.
  • [Bug Fix] Fix broken SecDefActions configuration.
  • [Bug Fix] Fix minor namespace configuration issue.
  • [Improvement] Add IPv6 support for internal HTTP fetch.
  • [Tuning] Reduce sensitivity of HTTP/2 abuse detection.

Build 2

Released: July 10, 2025

  • [Improvement] Adjust HTTP/2 stream reset attack detection to reduce false positives.
  • [Improvement] Update LSQUIC to version 4.3.0.
  • [Improvement] Reduce cache storage consumption by avoiding caching responses to crawlers.
  • [Bug Fix] Address issues with DirectAdmin RoundCube email access.
  • [Bug Fix] Address failure to stop Node.js application issue.
  • [Bug Fix] Address inconsistent "REDIRECT_STATUS" environment variable issue.

Build 1

Released: June 5, 2025

  • [Bug Fix] Address a regression in graceful restart.
  • [Bug Fix] Address a crash caused by a newly added logging code.
  • [Bug Fix] Fix request header operation for server built-in error pages.

Build 0

Released: June 2, 2025

  • [Security] Update stderr.log without world readable permissions to prevent unauthorized access.
  • [Improvement] Allow SSL SNI protocol updates at the domain level.
  • [Improvement] Minimize the cost of handling idle new TCP connections.
  • [Improvement] Keep uppercase/lowercase header name for HTTP/1.1 for better compatibility with some clients.
  • [Improvement] Improve HTTP/2 engine with better anti-DDoS capabilities.
  • [Bug Fix] Improve LiteSpeed Containers support.
  • [Bug Fix] Fix random killing of processes in Enhance panel environments.
  • [Bug Fix] Fix mod_security inspectFile operator input variables transformation.
  • [Bug Fix] Fix a mod_security rule parser corner case.
  • [Bug Fix] Fix a mod_security remote rule processing issues.
  • [Bug Fix] Add support for SSILegacyExprParser directive to address SSI backward compatibility issues.
  • [Bug Fix] Address Apache Server Side Includes and ProxyPass compatibility issues.

Version 6.3.2

Build 4

Released: April 11, 2025

  • [Security] Update stderr.log without world readable permissions to prevent unauthorized access.
  • [Improvement] Allow SSL SNI protocol updates at the domain level.
  • [Bug Fix] Address a mod_security rule parser corner case.
  • [Bug Fix] Address a rewrite rule handling corner case.

Build 3

Released: March 12, 2025

  • [Bug Fix] Address a ProxyPass compatibility issue for rewritten URL.
  • [Bug Fix] Address a random crash during server shutdown.

Build 2

Released: March 5, 2025

  • [Bug Fix] Add support for SSILegacyExprParser directive to address SSI backward compatibility issues.

Build 1

Released: February 27, 2025

  • [Bug Fix] Address random crashing caused by a request parser corner case.
  • [Bug Fix] Address Apache Server Side Includes compatibility issues.
  • [Bug Fix] Address broken vhost level ACL using environment variables.
  • [Bug Fix] Improve LiteSpeed Containers support.

Build 0

Released: February 18, 2025

  • [Security] Update lsquic to address hash flood vulnerability and other bug fixes.
  • [New Feature] Improve HTTP/2 implementation to block aggressive robots when under attack.
  • [New Feature] Improve LiteSpeed Containers and Redis support for control panels.
  • [New Feature] Add environment variable "noantiddos" to selectively disable anti-DDoS detection via rewrite rule or setenvif.
  • [Improvement] Add support for access log format "%{c}a" to log connection peer address.
  • [Improvement] Allow TX variable for ModSecurity @inspectFile operator.
  • [Bug Fix] Correct outdated Cloudflare IP range whitelist.
  • [Bug Fix] Address a regression in IPv6 ACL handling.
  • [Bug Fix] Address an MT race condition in mod_security engine.
  • [Bug Fix] Increase verification strictness for SSL client authentication.
  • [Bug Fix] Address issues when mod_security response body scan is enabled.
  • [Bug Fix] Address failure to enable PROXY protocol.
  • [Bug Fix] Make Node.js configuration more closely match Apache's behavior.
  • [Bug Fix] Make cPanel live site transfer work properly when WP toolkit is enabled.
  • [Bug Fix] Detect file suffixes longer than 15 characters.
  • [Misc] Adjust PHP processor auto tuning for Apache suEXEC PHP handlers.
  • [Bug Fix] Address two lsquic busy loop corner cases.
  • [Bug Fix] Address a problem with long unix domain sockets for ruby/python/node applications.

Version 6.3.1

Build 9

Released: January 30, 2025

  • [New Feature] Improve HTTP/2 implementation to block aggressive robots when under attack.
  • [New Feature] lspkgctl now supports packages for CloudLinux.
  • [Improvement] Add support for access log format "%{c}a" to log connection peer address.
  • [Bug Fix] Correct outdated Cloudflare IP range whitelist.
  • [Bug Fix] Address a regression in IPv6 ACL handling.
  • [Bug Fix] Address an MT race condition in mod_security engine.
  • [Bug Fix] Increase verification strictness for SSL client authentication.
  • [Bug Fix] Improve HTTP/3 with the latest lsquic fixes.
  • [Bug Fix] Address a few corner cases that caused random crashes.

Build 8

Released: January 8, 2025

  • [Bug Fix] Address potential double compression when mod_security response body scan is enabled.
  • [Bug Fix] Address broken ESI page cache when mod_security response body scan is enabled.
  • [Bug Fix] Address failure to enable PROXY protocol.
  • [Bug Fix] Update isa-l library to address a random crash.

Build 7

Released: December 18, 2024

  • [Bug Fix] Update lsquic to 4.1.0 to address infinite loop.
  • [Bug Fix] Address a corner case in parsing a cached page.
  • [Bug Fix] Address issues with updated LiteSpeed container control script.

Build 6

Released: December 4, 2024

  • [Bug Fix] Make Node.js configuration closely match Apache's behavior.
  • [Bug Fix] Make cPanel live site transfer work properly when WP toolkit is enabled.
  • [Bug Fix] Address hanging due to mod_security response body scanning on large response bodies.
  • [Bug Fix] Address issues with updated LiteSpeed container control script.

Build 5

Released: November 13, 2024

  • [Bug Fix] Address large response body corruption caused by mod_security response body scanning.
  • [Bug Fix] Stop mod_security helper threads before server shutdown.
  • [Bug Fix] Reduce lock contention of mod_security SHM store.

Build 4

Released: November 7, 2024

  • [Bug Fix] Address a mod_security scanning response body issue.
  • [Bug Fix] Address an IPv6 -ipmatch false positive issue.

Build 3

Released: October 25, 2024

  • [New Feature] Add environment variable "noantiddos" to selectively disable anti-DDoS detection via rewrite rule or setenvif.
  • [Bug Fix] Address a corner case that can cause random crashes.
  • [Bug Fix] Address a mod_security issue where lowercase transform failed to apply to TX variables.
  • [Bug Fix] Detect file suffixes longer than 15 characters.
  • [Misc] Adjust PHP processor auto tuning for Apache suEXEC PHP handlers.

Build 2

Released: September 27, 2024

  • [Improvement] Allow TX variable for ModSecurity @inspectFile operator.
  • [Bug Fix] Address two lsquic busy loop corner cases.
  • [Bug Fix] Address a problem with expr -ipmatch operator.
  • [Bug Fix] Address a problem with long unix domain sockets for ruby/python/node applications.

Build 1

Released: September 10, 2024

  • [Bug Fix] Update lsquic to v4.0.11 to address some corner cases.
  • [Bug Fix] Fix outdated version number.

Build 0

Released: August 28, 2024

  • [Security] Block the "litespeed_role" cookie to shield LSCWP from potential brute force attempts.
  • [New Feature] Add "no-lscache" environment variable to allow the lscache engine to be disabled at the request level.
  • [New Feature] Load trusted IPs/subnets from standalone list "$SERVER_ROOT/conf/trusted-ip-list".
  • [Bug Fix] Address compatibility issues with Ruby 3.3 applications.
  • [Bug Fix] Make RackRunner.rb compatible with Rails 7.2.
  • [Bug Fix] Minor bug fixes.

Version 6.3

Build 3

Released: August 1, 2024

  • [Bug Fix] Make RackRunner.rb compatible with Rails v7.2.
  • [Bug Fix] Address hanging ESI processing for page sizes > 1MB.

Build 2

Released: August 1, 2024

  • [Bug Fix] Address a v6.3 build 1 regression that caused random crashes.

Build 1

Released: July 11, 2024

  • [New Feature] Add "no-lscache" environment variable used to disable the lscache engine at the request level.
  • [New Feature] Load trusted IP/subnet from standalone list '$SERVER_ROOT/conf/trusted-ip-list'.
  • [Bug Fix] Address a compatibility issue with Ruby 3.3 applications.
  • [Bug Fix] Address bad auto index script path under chroot environments.

Build 0

Released: June 26, 2024

  • [New Feature] CGI/External app resource limits via cgroups.
  • [New Feature] CGI/External app file system restrictions via namespace containers.
  • [New Feature] Advanced anti-DDoS features to protect against request flooding.
  • [New Feature] Firewall controller to block detected robots at the firewall level.
  • [New Feature] Easy front end CDN (QUIC.cloud or Cloudflare) detection.
  • [Improvement] Avoid HTTP/2 stream I/O buffer bloating.
  • [Improvement] HTTP2/HTTP3 priority (RFC 9218) integration.
  • [Improvement] Drain request body to avoid browser errors in special cases.
  • [Improvement] Stop _recaptcha process after idling for 5 minutes.
  • [Bug Fix] Automatically fix apache2.service override for Plesk.
  • [Bug Fix] Address a ProxyPass corner case that resulted in redirection looping.
  • [Bug Fix] Avoid caching partial responses due to interrupted proxy connections.
  • [Bug Fix] Address rewrite rule compatibility issues with Plesk WP toolkit hotlink protection.
  • [Bug Fix] Address a corner case in multi-part POST parser.
  • [Bug Fix] Address a corner case in access logging.

Older versions