Cowboy 2.11.0 has been released!

Cowboy 2.11 contains a variety of new features and bug fixes. Nearly all previously experimental features are now marked as stable, including Websocket over HTTP/2.

Cowboy 2.11 addresses the HTTP/2 CVE CVE-2023-44487, the rapid reset vulnerability, which attackers can use in denial of services attacks. Cowboy adds a new HTTP/2 option max_cancel_stream_rate to control for this behavior.

Cowboy 2.11 requires Erlang/OTP 24.0 or greater. It is tested and supported on Linux, macOS and Windows.

Cowboy is now using GitHub Actions for CI. The main reason for the move is to reduce costs by no longer having to self-host CI runners. The downside is that GitHub runners are less reliable and timing dependent tests are now more likely to fail. Another consequence following the move is that FreeBSD is no longer tested. This may be reevaluated in the future.

A complete list of changes can be found in the migration guide: Migrating from Cowboy 2.10 to 2.11.

You can donate to this project via GitHub Sponsors.

As usual, feedback is appreciated, and issues or questions should be sent via Github tickets or discussions. Thanks!