Forgejo v16.0: Granular Watching, Better Reviews, Safer Integrations

janilowski1 pts0 comments

Forgejo v16.0 is available — Forgejo

Forgejo version 16.0 was released on 16 July 2026. Forgejo is a lightweight, community-developed, self-hosted platform for code collaboration.

This article contains a selection of the changes that were introduced. A complete list of changes is available in the release notes.

A dedicated test instance is available to try it out. Before upgrading, it is strongly recommended to make a full backup as explained in the upgrade guide and carefully read all breaking changes from the release notes.<br>If in doubt, do not hesitate to ask for help in the chat room.

Breaking changes

Hardening mirrors against SSRF

Administrators can determine which hosts can be accessed by Forgejo for Git mirroring via the config settings [migrations].ALLOWED_DOMAINS/LOCKED_DOMAINS/ALLOW_LOCALNETWORKS. However, there were edge cases where these settings were ineffective. Multiple of such cases were were fixed in this version.

One of these edge cases was involving Git accessing a repository over HTTP(S), where Git would follow HTTP redirects, allowing a violation of the mentioned config settings. The Git option http.followRedirects=false is now set to prevent Git from following these redirects.

Mirroring involving remote Forgejo repositories that have been renamed or transferred to a new owner will trigger redirects that will now be treated as errors. These mirrors must be updated to the new repository location.

EXIF Stripping Removed

Forgejo v13.0 added the capability to remove EXIF metadata from images that are uploaded in a user’s avatar. Unfortunately, a licensing mistake was made and Forgejo relied on an AGPL-licensed library to accomplish this work. While other options are being pursued, Forgejo has removed this capability to bring us into license compliance.

Trusted proxies setting in containers

Forgejo containers had REVERSE_PROXY_TRUSTED_PROXIES = * configured by default. In the event that the Forgejo sysadmin set the container environment variable FORGEJO__service__ENABLE_REVERSE_PROXY_AUTHENTICATION to the value true, and an unauthorized user could access Forgejo without traversing a reverse proxy performing authentication, then an unauthorized user could use the X-WebAuth-User HTTP header to impersonate any user.

While this is an unlikely set of configuration settings, it seems more prudent for the Forgejo to require a sysadmin to choose an appropriate value for REVERSE_PROXY_TRUSTED_PROXIES. Even in a containerized environment, this value can be used safely and set to reasonable values if firewall-level networking is in use (eg. using Docker with iptables), which is the common default for Docker installations in 2026.

If you’re upgrading to Forgejo v16, and:

using a containerized deployment (e.g. Docker or Podman)

and have [service].ENABLE_REVERSE_PROXY_AUTHENTICATION configuration option set to true

and have not overridden the [security].REVERSE_PROXY_TRUSTED_PROXIES configuration option, which is set to * by default in container images

and Forgejo web port (:3000 by default) is exposed to untrusted networks, allowing to bypass the reverse proxy

then Forgejo will no longer obey your reverse proxy configuration. You must set the [security].REVERSE_PROXY_TRUSTED_PROXIES setting to an appropriate list of addresses where your trusted reverse-proxy traffic will originate; for example:

with environment variable:<br>FORGEJO__security__REVERSE_PROXY_TRUSTED_PROXIES=127.0.0.0/8,::1/128,172.16.X.X/X

or in the app.ini configuration file<br>[security]<br>...<br>REVERSE_PROXY_TRUSTED_PROXIES=127.0.0.0/8,::1/128,172.16.X.X/X<br>...

New features

Granular repository watch settings

Forgejo makes major strides towards improving its notifications.<br>Now users may select what parts of a repo to receive notifications from!<br>For now there are three categories: Issues, Pull requests and Releases.<br>However, a reworked notification backend paves the way for further granularity.<br>Forgejo wants to put users in control of their notifications without overwhelming them in options.<br>If you have ideas or opinions on how that control should work, join the discussion in the issues.

Repository migration progress

The repository migration screen now shows the progress of migrations. It provides the progress of migrated issues and pull requests from the source in batches. This allows to verify that long-running migrations are not stuck.

Default batch size is 45, which is a minimum amount of items for progress to be displayed.

Downsized avatar variants

Two downscaled avatar variants are now generated and served instead of the large primary one in all places where full size isn’t required, decreasing bandwidth usage and improving loading speeds.

Easier way to add team members

Adding members to organizations became easier thanks to a dialog reachable directly on the list of organization members. This dialog also lets you add the new member to multiple teams of your organization in one go.

Consistency check of incoming...

forgejo from settings repository user reverse_proxy_trusted_proxies

Related Articles