← Retour au blog
tech 16 July 2026

Forgejo v16.0: What's New in the Latest Release

Explore the enhancements in Forgejo v16.0, a lightweight, self-hosted platform for code collaboration. Learn about the major changes and how they can impact your workflow.

Article inspired by the original source
Forgejo v16.0 is available ↗ forgejo.org

Introduction

Forgejo, the self-hosted code collaboration platform, just released its version 16.0 on July 16, 2026. This update brings significant changes in security and compliance while maintaining its lightweight and user-friendly nature. If you're looking to understand how these changes can optimize your project, this article is for you.

Hardening Mirrors Against SSRF

One of the most notable updates is the hardening of mirrors against SSRF (Server-Side Request Forgery) attacks. Administrators can now precisely configure which hosts Forgejo can access via the config settings [migrations].ALLOWED_DOMAINS/LOCKED_DOMAINS/ALLOW_LOCALNETWORKS. This update addresses edge cases where these settings could be bypassed, especially during Git access over HTTP(S) where HTTP redirects were followed by default. With the new http.followRedirects=false setting, these redirects are now treated as errors, thus fortifying your development environment's security.

EXIF Stripping Removed

Another major change is the removal of the EXIF metadata stripping feature from images, initially introduced in Forgejo v13.0. Due to a licensing error, this feature relied on an AGPL-licensed library. To remain compliant, this feature has been removed until a suitable alternative is found.

Trusted Proxies Setting in Containers

Forgejo has also updated the default configuration of trusted proxies in containerized environments. Previously, REVERSE_PROXY_TRUSTED_PROXIES = * was set by default, potentially allowing an unauthorized user to access Forgejo without passing through a reverse proxy performing authentication. Now, it's recommended to explicitly set an appropriate value for this parameter to enhance security, even in a Docker environment with iptables.

Conclusion

Forgejo v16.0 is not just a routine update; it introduces essential enhancements to further secure your development process while adhering to compliance standards. If you're considering upgrading to this new version, be sure to follow the upgrade guides and back up your data. Let's discuss your project in 15 minutes to see how these updates can benefit you.

Call to Action

Let's discuss your project in 15 minutes.

Forgejo code collaboration SSRF security EXIF metadata self-hosted
Deepthix newsletter · 100% AI · every Monday 8am

An AI agent reads tech for you.

Our AI agent scans ~200 sources per week and ships the best articles to your inbox Monday 8am. Free. One click to unsubscribe.

Visit the newsletter page →

Want to automate your operations?

Let's talk about your project in 15 minutes.

Book a call