Security
- Disallow the media proxy from fetching resources on private networks to mitigate potential SSRF issues. This behavior is configurable at the instance level.
- Disallow fetching feed icons from private networks to reduce the SSRF attack surface. This is also configurable at the instance level.
- Add the
TRUSTED_REVERSE_PROXY_NETWORKSconfiguration option to prevent spoofing of HTTP headers such asX-Forwarded-For,X-Forwarded-Proto, andX-Real-Ip. This option must be configured whenAUTH_PROXY_HEADERis enabled. - Stop logging generated Google Reader API tokens, even when debug mode is enabled.
- Remove the CORS handler from the Google Reader API, as it is not intended to be used by web clients, reducing the overall attack surface.
Performance and Storage
- Avoid indexing the content of removed entries, significantly reducing database index size after cleanup.
- Minor storage and database refactoring to simplify code paths and reduce unnecessary formatting overhead.
API and Integrations
- Add a new API endpoint to import entries into an existing feed.
- Execute the content sanitizer when updating or importing entries through the API to ensure consistent sanitization.
- Improve Google Reader API compatibility by removing unnecessary output parameter checks and aligning behavior with other open-source RSS readers.
- Add an auto-push option to the Readeck integration.
User Interface
- Add smooth page transitions for a more polished navigation experience.
- Add a route to view individual starred entries directly from a category’s starred list.
- Add a link to the GitHub contributors page in templates.
- Update all translations.
Documentation and Tooling
- Improve consistency and fix typos in the
miniflux(1)manual page. - Remove the obsolete
versionkey from Docker Compose examples. - Update the Go devcontainer image to
go:1-trixie. - Update the Distroless container base image to Debian 13.
- Update GitHub Actions dependencies.
As always, thank you to all contributors who helped improve Miniflux in this release.