Nginx 1.29.8 and FreeNginx Released With Critical Security Updates

Nginx 1.29.8 and the parallel FreeNginx project have issued critical security updates. This release makes immediate infrastructure updates a top priority for web server administrators.

Released on April 7, 2026, these new versions introduce essential security features, enhanced cryptographic compatibility, and crucial bug fixes designed to ensure robust server performance and defend against modern cyber threats.

FreeNginx, the fork created by core developer Maxim Dounin, continues to mirror these essential updates, ensuring users across both web server ecosystems remain protected.

One of the most significant upgrades in the 1.29.8 release is the introduction of support for OpenSSL 4.0.

As cryptographic standards rapidly evolve to counter sophisticated threat actors, maintaining compatibility with the latest OpenSSL frameworks is vital for securing data in transit.

This integration allows administrators to leverage advanced encryption protocols, ensuring that sensitive web traffic remains protected against modern interception techniques and newly discovered cryptographic vulnerabilities.

New Security Controls and Directives

To further harden web servers against HTTP-based attacks, Nginx 1.29.8 introduces the new “max_headers” directive.

Developed with contributions from Maxim Dounin, this feature allows administrators to strictly limit the maximum number of HTTP headers accepted in a client request.

By restricting header counts, servers can effectively mitigate resource exhaustion attacks and prevent buffer overflow vulnerabilities, which denial-of-service threat actors often exploit.

Additionally, the “include” directive within the “geo” block now supports wildcards.

This quality-of-life improvement allows administrators to manage complex geolocation-based access control lists more efficiently, streamlining security configurations and IP blocking across large-scale server deployments.

Beyond security enhancements, the update resolves specific processing errors that could negatively impact server stability.

Developers addressed a bug related to the processing of HTTP 103 (Early Hints) responses when routed from a proxied backend.

Fixing this ensures that browsers receive pre-load instructions smoothly without disrupting connection handling.

The release also fixes an internal routing issue in which the request_port and is_request_port variables were previously unavailable in subrequests.

Resolving this ensures that internal server routing and logging mechanisms function accurately, which is a critical component for incident response teams monitoring server traffic.

Cybersecurity experts strongly advise system administrators who rely on Nginx or FreeNginx to immediately apply the 1.29.8 update to reduce their attack surface and secure their web infrastructure.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.