lighttpd (pronounced /lighty/) is a secure, fast, compliant, and very flexible web server that has been optimized for high-performance environments. lighttpd uses memory and CPU efficiently and has lower resource use than other popular web servers. Its advanced feature-set (FastCGI, CGI, Auth, Output-Compression, URL-Rewriting and much more) make lighttpd the perfect web server for all systems, small and large. lighttpd is released under the Open Source revised BSD license.

lighttpd wiki and documentation



October 30, 2023

Important changes

  • HTTP/2 detect and log rapid reset attack


  • lighttpd-1.4.73.tar.gz (GPG signature)
    • SHA256: 816cbec71e8d02d874f1d5c798d76d091a76d5acbeb6e017ba76aeb4263d6995
  • lighttpd-1.4.73.tar.xz (GPG signature)
    • SHA256: 818816d0b314b0aa8728a7076513435f6d5eb227f3b61323468e1f10dbe84ca8
  • SHA256 checksums
  • SHA512 checksums

    Changes from 1.4.72

  • [core] add .mkv to mimetype.assign builtin defaults
  • [core] warn if out-of-range value for config short
  • [mod_openssl] set default curves for ossl < 1.1.0
  • [mod_h2] parse HEADERS flags sooner
  • [mod_h2] check send window before defer frame rd
  • [mod_h2] send GOAWAY to excessive request flood
  • [mod_h2] h2_parse_headers_frame() adjust args
  • [mod_h2] h2_recv_headers() parse trailers earlier
  • [mod_h2] send GOAWAY to excessive request flood
  • [mod_h2] discard new streams after GOAWAY sent
  • [mod_h2] h2_discard_headers() to HPACK-decode hdrs
  • [core] parse entire server.http-parseopts list
  • [mod_wstunnel] Sec-WebSocket-Protocol only if req hdr
  • [mod_h2] disable h2proto if mod_h2 was not found
  • [core] omit dlopen trace for mod_h2, mod_deflate
  • [mod_h2] defer input parsing if large output queue
  • [mod_h2] defer frame handling if stream pend close
  • [mod_h2] detect and log HTTP/2 rapid reset attack
  • [core] honor MBEDTLS_USE_PSA_CRYPTO for hash,rand
  • [mod_mbedtls] honor MBEDTLS_USE_PSA_CRYPTO for rand
  • [core] comment out li_rand_bytes() (unused)
  • [mod_mbedtls] handle mbedtls 3.x partial write
  • [mod_h2] detect and log HTTP/2 rapid reset attack
  • [mod_h2] detect and log HTTP/2 rapid reset attack
  • [mod_openssl] warn if openssl version < 3.0.0
  • [mod_openssl] include openssl/hmac.h for boringssl