Security
This release hardens the optional Web UI against three classes of attack. Recommended for everyone who runs Docksentry with WEB_UI=true — especially if the Web UI is reachable from a network you don't fully trust (or from a browser that also visits the open internet).
XSS prevention
All user-controllable values rendered into the Web UI (container/image names, history details, persisted settings, error messages) are now HTML-escaped, including in HTML attribute contexts. A malicious value in the persisted settings or in container metadata can no longer execute JavaScript in the admin's browser.
SSRF mitigation for webhook URLs
The Web UI now rejects webhook URLs that point to:
- Cloud metadata endpoints (
169.254.169.254,metadata.google.internal,metadata.goog,fd00:ec2::254) - Other link-local addresses
- Non-
http(s)schemes (file://,gopher://,javascript:,ftp://, …)
Discord webhooks are additionally restricted to official Discord hosts. Private/LAN addresses (RFC1918, localhost) remain allowed so selfhosted Ntfy / Gotify / Home Assistant setups keep working.
CSRF protection
Every POST to the Web UI is verified via the Origin header (with Referer fallback). Forged cross-origin POSTs abusing cached Basic Auth credentials are rejected with HTTP 403. No CSRF tokens are needed — Docksentry uses stateless Basic Auth.
Upgrade
docker pull amayer1983/docksentry:latest
docker compose up -dNo configuration changes required. If you set a webhook URL pointing at a cloud metadata endpoint or via a non-http(s) scheme, the Web UI will now refuse to save it (intended behaviour).