Release v1.0.2

This release only contains security improvements.

Security:

• Added TLS certificate fingerprint verification (TOFU) to detect potential MITM attacks.

Release v1.0.1

This release only contains stability improvements, plus support for Cloudflare tunnels and non RSA-based SSL certificates with proper remote TTY sizing.

Release v1.0.0

First release. Major security, architecture, and operational overhaul from 0.10 alpha. This release transitions HTTPShell from experimental prototype into productionish‑grade secure remote access software.

Added

• Automatic reverse proxy with Caddy for backend isolation
• Persistent server logging with daily rotation and 7-day retention
• Idle session timeout and automatic cleanup of stale sessions
• Global authentication throttling to prevent brute force attacks
• Replay attack protection with bounded nonce history
• Proper systemd service installation and restart handling
• Replaced Ed25519/AES session keys with X25519 ephemeral key exchange and RSA-OAEP authentication
• Backend now isolated behind Caddy instead of exposing uvicorn directly
• Session handling redesigned with bounded queues, timeout enforcement, and safer concurrency
• Installation and filesystem layout standardized (/etc/httpshell/httpshell.py, certs, logs, caddy files)

Removed

• Legacy config.txt and dualstack mode
• Manual fingerprint trust system and client trust database
• Direct public exposure of uvicorn

Security Improvements

• Forward secrecy key exchange for sessions
• Replay protection and authentication throttling
• Audit logging and session expiration
• Backend isolation through reverse proxy

Release v0.1.0

This is the first alpha release for the public.
Please note to find any vulnerablitys and report them in a github issue.

This supports:

• All tunneling software (ie: serveo.net, cloudflare tunnels)
• Arch, Ubuntu, Debian Linux for the server.
• Anything for the client.

Features to be added:

• Alpine Linux support for the server.

That's all, cheers.