lighttpd (pronounced /lighty/) is a secure, fast, compliant, and very flexible web server that has been optimized for high-performance environments. lighttpd uses memory and CPU efficiently and has lower resource use than other popular web servers. Its advanced feature-set (FastCGI, CGI, Auth, Output-Compression, URL-Rewriting and much more) make lighttpd the perfect web server for all systems, small and large. lighttpd is released under the Open Source revised BSD license.

lighttpd wiki and documentation



April 12, 2024

Important changes

detect VU#421644 HTTP/2 CONTINUATION Flood, avoid CVE-2024-3094 xz supply chain attack, bug fixes

  • detect VU#421644 HTTP/2 CONTINUATION Flood
    • issue trace and send GO_AWAY
    • (lighttpd not vulnerable to attack)
  • avoid CVE-2024-3094 xz supply chain attack
    • use ‘git archive’ to replace ‘make dist’ to create release tarballs
      • remove excess complexity (m4 and autotools) from release process
      • now more easily verifiable that sources come from signed git release tag


  • lighttpd TLS defaults will change to MinProtocol TLSv1.3 Other configurations will still be supported, but will not be the default. Proposed default: MinProtocol TLSv1.3 Current default: MinProtocol TLSv1.2
  • server.error-handler-404 will operate only on 404 (historical error: server.error-handler-404 operated on both 404 and 403) Since lighttpd 1.4.40 (released Jul 2016), server.error-handler is available to produce dynamic error pages for 4xx and 5xx responses. Since lighttpd 1.4.56 (released Nov 2020), magnet.attract-response-start-to is an additional, high performance mechanism to produce dynamic error pages.


  • lighttpd-1.4.76.tar.gz (GPG signature)
    • SHA256: ba14a030889518194fd88b33e419d51cc38c8fe917126d5a7a965be79b53e995
  • lighttpd-1.4.76.tar.xz (GPG signature)
    • SHA256: 8cbf4296e373cfd0cedfe9d978760b5b05c58fdc4048b4e2bcaf0a61ac8f5011
  • SHA256 checksums
  • SHA512 checksums

    Changes from 1.4.75

  • [core] add default to builtin mimetype.assign
  • [core] add MPTCP support
  • [core] disable MPTCP support by default
  • [mod_expire] omit caching hdrs for 204 No Content
  • [mod_staticfile] noinline cold func
  • [core] GNU/Hurd preadv2() RWF_NOWAIT ENOTSUP
  • [core] special value for Linux POLLRDHUP on SPARC
  • [mod_openssl] define asn1 time w/ OPENSSL_NO_OCSP
  • [h2] VU#421644 HTTP/2 CONTINUATION Flood
  • [build] git archive; replace make dist
  • [core] gw_network_backend_write_error() cold func
  • [core] reduce syscalls in some backend connect
  • [core] defer TCP_FIN propagate if connect()ing (fixes #3249)
  • [ci] workaround some packaging issues in NetBSD 10