Forgejo v16.0: SSRF Protection, EXIF Stripping Removed, Granular Repository Notifications

Forgejo v16.0 has been released. The new version of the self-hosted open-source Git platform, released on 16 July 2026, brings several security improvements, removes a previously introduced feature due to licensing issues, and expands notification options.

This article covers some of the most important changes. A complete list of changes is available in the official release notes.

Breaking Changes

Hardening Mirrors Against SSRF

Administrators can control which hosts Forgejo is allowed to access for Git mirroring through the configuration options [migrations].ALLOWED_DOMAINS, [migrations].LOCKED_DOMAINS, and [migrations].ALLOW_LOCALNETWORKS.

Previously, there were some edge cases where these restrictions were not effective. Several of these cases have been fixed in this release.

One of these cases involved HTTP(S) access to repositories. Git automatically followed HTTP redirects, which could bypass the configured domain restrictions.

Starting with Forgejo v16.0, http.followRedirects=false is set to prevent Git from automatically following these redirects.

Mirrors pointing to remote Forgejo repositories that have been renamed or transferred to another owner will now result in errors. These mirrors must be manually updated to the new repository location.

EXIF Stripping Removed

Forgejo v13.0 introduced the ability to remove EXIF metadata from images uploaded as user avatars.

However, a licensing mistake was made and Forgejo relied on an AGPL-licensed library for this functionality. To ensure license compliance, this feature has now been removed.

The Forgejo team is currently looking into alternative solutions.

Trusted Proxies in Containers

Forgejo containers previously used the following default setting:

REVERSE_PROXY_TRUSTED_PROXIES = *

This default has been changed because it could create a security risk under certain configurations.

If ENABLE_REVERSE_PROXY_AUTHENTICATION=true was enabled and the Forgejo port was directly accessible from untrusted networks, an unauthorized user could use the X-WebAuth-User HTTP header to impersonate any user.

This only affects specific configurations. Users running Forgejo in containers with reverse proxy authentication enabled must now explicitly configure [security].REVERSE_PROXY_TRUSTED_PROXIES.

Example:

FORGEJO__security__REVERSE_PROXY_TRUSTED_PROXIES=127.0.0.0/8,::1/128,172.16.X.X/X

or in app.ini:

[security]
REVERSE_PROXY_TRUSTED_PROXIES=127.0.0.0/8,::1/128,172.16.X.X/X

New Features

Granular Repository Watch Settings

Forgejo v16.0 significantly improves repository notification management.

Previously, users could only fully watch or ignore a repository. Users can now choose which parts of a repository they want to receive notifications for.

The current categories are:

The new notification system also provides a foundation for more detailed controls in future versions.

More Improvements

Besides the new watch settings, Forgejo v16.0 includes several smaller improvements:

Upgrade Notes

Forgejo recommends creating a complete backup of the instance before upgrading. The breaking changes mainly affect:

LTS: v15.0.5

At the same time, Forgejo v15.0.5 was released as an LTS version. It will continue to receive support until July 2027.

Conclusion

Forgejo v16.0 focuses mainly on security improvements and giving users and administrators more control.

The hardened mirror rules improve protection against SSRF attacks, while the new notification options make daily usage more flexible. The release also includes many smaller improvements that will be especially useful for larger Forgejo installations.