• The Allowed Cross Origins option is renamed to Allowed Origins and performs additional checks on the server side when configured.
  • The external visible URL is also sent as allowed origin using the CORS header
  • Connections to the server (either HTTPs or WSs) are also checked against the list of allowed origins and the external visible URL

• Allow SSL certificates to be uploaded to the server in the Configuration application
• Added a Web API to also upload and reload SSL certificates.
• Added a backup and restore job for SSL certificates to the maintenance application
  • Here, it does not matter which type of certificate is currently configured - all types with certificates available will be backed up and can be restored.

Fixed Bugs

• If LetsEncrypt was not available, two certificate sections were displayed, one for the upload and one for the fixed file.

Security Fixes

• Security Update for CVE-2025-1948
  • In Eclipse Jetty versions 12.0.0 to 12.0.16 included, an HTTP/2 client can specify a very large value for the HTTP/2 settings parameter SETTINGS_MAX_HEADER_LIST_SIZE.
  • The Jetty HTTP/2 server does not perform validation on this setting, and tries to allocate a ByteBuffer of the specified capacity to encode HTTP responses, likely resulting in OutOfMemoryError being thrown, or even the JVM process exiting.
• Security Update for CVE-2025-8671
  • A mismatch caused by client-triggered server-sent stream resets between HTTP/2 specifications and the internal architectures of some HTTP/2 implementations may result in excessive server resource consumption leading to denial-of-service (DoS). By opening streams and then rapidly triggering the server to reset them—using malformed frames or flow control errors—an attacker can exploit incorrect stream accounting. Streams reset by the server are considered closed at the protocol level, even though backend processing continues. This allows a client to cause the server to handle an unbounded number of concurrent streams on a single connection.

• Update Bouncy Castle encryption library to FIPS-certified edition. FIPS certification ensures cryptographic modules meet rigorous security standards, enhancing security and trust.
• The Redirect all HTTP requests to HTTPS is possible for any port.

Security Fixes

• Security Update for CVE-2025-8671
  • A mismatch caused by client-triggered server-sent stream resets between HTTP/2 specifications and the internal architectures of some HTTP/2 implementations may result in excessive server resource consumption leading to denial-of-service (DoS). By opening streams and then rapidly triggering the server to reset them—using malformed frames or flow control errors—an attacker can exploit incorrect stream accounting. Streams reset by the server are considered closed at the protocol level, even though backend processing continues. This allows a client to cause the server to handle an unbounded number of concurrent streams on a single connection.

• Added option the security section of the webserver configuration to control embedding the application using X-Frame-Options.

Security Fixes

• Security Update for CVE-2023-44487
  • The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

• Added placeholders for start and expiration date of the HTTPS certificate that is currently being used. The placeholders can then be used in Task Planner actions.
• Changed Jetty server from version 9.4.x to 10.0.x.
• Added support for HTTP/2 protocol.
• Allowed Cross Origins is now called Allowed Origins

Security Fixes

• If Allowed Origins is set, it will send CORS headers that also include the external visible URL.
  • The server now checks that it is addressed using any of the given values from either the external visible URL or the Alowed Origins
  • The server checks HTTP/s as well as WS/s connections

• An optional web context of the web server can be set if the server should not run in the root context.