4.2.2 (2026-06-03)
------------------

* Fixed a denial of service vulnerability via unbounded WebSocket message sizes.
  Daphne previously passed no message or frame size limits to autobahn,
  whose defaults are unbounded. This allowed an unauthenticated client
  to exhaust server memory by sending a very large WebSocket
  messages/frames (CVE-2026-44545).

  Both limits now default to 1 MiB and can be configured via the new
  ``--websocket-max-message-size`` and ``--websocket-max-frame-size`` CLI
  flags (or the matching ``Server`` constructor arguments). Pass ``0`` to
  restore the previous unlimited behaviour.
  
  Thanks to ParkHyunWoo for the report.

* Fixed a header injection vulnerability on the WebSocket upgrade path
  (CVE-2026-44546).

  Header values containing ``\x0b``, ``\x0c``, ``\x1c``, ``\x1d``, ``\x1e``,
  or ``\x85`` were parsed as a single header by Twisted but split into
  multiple headers by autobahn during the WebSocket handshake. An attacker
  could exploit this parser differential to smuggle additional headers
  (e.g. authentication tokens, ``X-Forwarded-For``, ``Origin``,
  ``Daphne-Root-Path``) into the ASGI scope passed to the application.

  Daphne now rejects requests carrying these bytes in any header value with
  a 400 Bad Request response, as required by RFC 9110 §5.5.

  Thanks to Rene Henningsen for the report.

4.2.1 (2025-07-02)
------------------

* Fixed a packaging error in 4.2.0.

* Removed --nostatic and --insecure args to runserver command when staticfiles
  app is not installed.

4.2.0 (2025-05-16)
------------------

Daphne 4.2 is a maintenance release in the 4.x series.

* Added support for Python 3.13.

* Dropped support for EOL Python 3.8.

* Updated pyupgrade configuration to target Python 3.9.

* Added a `load_asgi_app` hook to CLI class, useful for compiled or frozen
  applications.

* Allowed assigning a port in the DaphneProcess test helper, useful for live
  server test cases, such as that provided by Channels.

* Added --nostatic and --insecure args to runserver command to match Django's
  built-in command.

* Moved metadata to use pyproject.toml.

* Updated sdist file to include tests and changelog.

* Removed unused pytest-runner.

4.1.2 (2024-04-11)
------------------

* Fixed a setuptools configuration error in 4.1.1.

4.1.1 (2024-04-10)
------------------

* Fixed a twisted.plugin packaging error in 4.1.0.

  Thanks to sdc50.

4.1.0 (2024-02-10)
------------------

* Added support for Python 3.12.

* Dropped support for EOL Python 3.7.

* Handled root path for websocket scopes.

* Validate HTTP header names as per RFC 9110.

4.0.0 (2022-10-07)
------------------

Major versioning targeting use with Channels 4.0 and beyond. Except where
noted should remain usable with Channels v3 projects, but updating Channels to the latest version is recommended.

* Added a ``runserver`` command to run an ASGI Django development server.

  Added ``"daphne"`` to the ``INSTALLED_APPS`` setting, before
  ``"django.contrib.staticfiles"`` to enable:

  INSTALLED_APPS = [
    "daphne",
    ...
  ]

  This replaces the Channels implementation of ``runserver``, which is removed
  in Channels 4.0.

* Made the ``DaphneProcess`` tests helper class compatible with the ``spawn``
  process start method, which is used on macOS and Windows.

  Note that requires Channels v4 if using with ``ChannelsLiveServerTestCase``.

* Dropped support for Python 3.6.

* Updated dependencies to the latest versions.

  Previously a range of Twisted versions have been supported. Recent Twisted
  releases (22.2, 22.4) have issued security fixes, so those are now the
  minimum supported version. Given the stability of Twisted, supporting a
  range of versions does not represent a good use of maintainer time. Going
  forward the latest Twisted version will be required.

* Set ``daphne`` as default ``Server`` header.

  This can be configured with the ``--server-name`` CLI argument.

  Added the new ``--no-server-name`` CLI argument to disable the ``Server``
  header, which is equivalent to ``--server-name=` (an empty name).

* Added ``--log-fmt`` CLI argument.

* Added support for ``ASGI_THREADS`` environment variable, setting the maximum
  number of workers used by a ``SyncToAsync`` thread-pool executor.

  Set e.g. ``ASGI_THREADS=4 daphne ...`` when running to limit the number of
  workers.

* Removed deprecated ``--ws_protocols`` CLI option.

3.0.2 (2021-04-07)
------------------

* Fixed a bug where ``send`` passed to applications wasn't a true async
  function but a lambda wrapper, preventing it from being used with
  ``asgiref.sync.async_to_sync()``.


3.0.1 (2020-11-12)
------------------

* Fixed a bug where ``asyncio.CancelledError`` was not correctly handled on
  Python 3.8+, resulting in incorrect protocol application cleanup.


3.0.0 (2020-10-28)
------------------

* Updates internals to use ASGI v3 throughout. ``asgiref.compatibility`` is
  used for older applications.

* Consequently, the `--asgi-protocol` command-line option is removed.

* HTTP request bodies are now read, and passed to the application, in chunks.

* Added support for Python 3.9.

* Dropped support for Python 3.5.


2.5.0 (2020-04-15)
------------------

* Fixes compatability for twisted when running Python 3.8+ on Windows, by
  setting ``asyncio.WindowsSelectorEventLoopPolicy`` as the event loop policy
  in this case.

* The internal ``daphne.testing.TestApplication`` now requires an addition
  ``lock`` argument to ``__init__()``. This is expected to be an instance of
  ``multiprocessing.Lock``.


2.4.1 (2019-12-18)
------------------

* Avoids Twisted using the default event loop, for compatibility with Django
  3.0's ``async_unsafe()`` decorator in threaded contexts, such as using the
  auto-reloader.


2.4.0 (2019-11-20)
------------------

* Adds CI testing against and support for Python 3.8.

* Adds support for ``raw_path`` in ASGI scope.

* Ensures an error response is sent to the client if the application sends
  malformed headers.

* Resolves an asyncio + multiprocessing problem when testing that would cause
  the test suite to fail/hang on macOS.

* Requires installing Twisted's TLS extras, via ``install_requires``.

* Adds missing LICENSE to distribution.


2.3.0 (2019-04-09)
------------------

* Added support for ASGI v3.


2.2.5 (2019-01-31)
------------------

* WebSocket handshakes are now affected by the websocket connect timeout, so
  you can limit them from the command line.

* Server name can now be set using --server-name


2.2.4 (2018-12-15)
------------------

* No longer listens on port 8000 when a file descriptor is provided with --fd

* Fixed a memory leak with WebSockets


2.2.3 (2018-11-06)
------------------

* Enforce that response headers are only bytestrings, rather than allowing
  unicode strings and coercing them into bytes.

* New command-line options to set proxy header names: --proxy-headers-host and
  --proxy-headers-port.


2.2.2 (2018-08-16)
------------------

* X-Forwarded-Proto support is now present and enabled if you turn on the
  --proxy-headers flag

* ASGI applications are no longer instantiated in a thread (the ASGI spec
  was finalised to say all constructors must be non-blocking on the main thread)


2.2.1 (2018-07-22)
------------------

* Python 3.7 compatability is flagged and ensured by using Twisted 18.7 and
  above as a dependency.

* The send() awaitable in applications no longer blocks if the connection is
  closed.

* Fixed a race condition where applications would be cleaned up before they
  had even started.


2.2.0 (2018-06-13)
------------------

* HTTP timeouts have been removed by default, as they were only needed
  with ASGI/Channels 1. You can re-enable them with the --http-timeout
  argument to Daphne.

* Occasional errors on application timeout for non-fully-opened sockets
  and for trying to read closed requests under high load are fixed.

* X-Forwarded-For headers are now correctly decoded in all environments
  and no longer have unicode matching issues.


2.1.2 (2018-05-24)
------------------

* Fixed spurious errors caused by websockets disconnecting before their
  application was instantiated.

* Stronger checking for type-safety of headers as bytestrings


2.1.1 (2018-04-18)
------------------

* ASGI application constructors are now run in a threadpool as they might
  contain blocking synchronous code.


2.1.0 (2018-03-05)
------------------

* Removed subprotocol support from server, as it never really worked. Subprotocols
  can instead be negotiated by ASGI applications now.

* Non-ASCII query strings now raise a 400 Bad Request error rather than silently
  breaking the logger


2.0.4 (2018-02-21)
------------------

* Ping timeouts no longer reset on outgoing data, only incoming data

* No more errors when connections close prematurely


2.0.3 (2018-02-07)
------------------

* Unix socket listening no longer errors during startup (introduced in 2.0.2)

* ASGI Applications are now not immediately killed on disconnection but instead
  given --application-close-timeout seconds to exit (defaults to 10)


2.0.2 (2018-02-04)
------------------

* WebSockets are no longer closed after the duration of http_timeout


2.0.1 (2018-02-03)
------------------

* Updated logging to correctly route exceptions through the main Daphne logger


2.0.0 (2018-02-01)
------------------

* Major rewrite to the new async-based ASGI specification and to support
  Channels 2. Not backwards compatible.


1.3.0 (2017-06-16)
------------------

* Ability to set the websocket connection timeout

* Server no longer reveals the exact Autobahn version number for security

* A few unicode fixes for Python 2/3 compatability

* Stopped logging messages to already-closed connections as ERROR


1.2.0 (2017-04-01)
------------------

* The new process-specific channel support is now implemented, resulting in
  significantly less traffic to your channel backend.

* Native twisted blocking support for channel layers that support it is now
  used. While it is a lot more efficient, it is also sometimes slightly more
  latent; you can disable it using --force-sync.

* Native SSL termination is now correctly reflected in the ASGI-HTTP `scheme`
  key.

* accept: False is now a valid way to deny a connection, as well as close: True.

* HTTP version is now correctly sent as one of "1.0", "1.1" or "2".

* More command line options for websocket timeouts


1.1.0 (2017-03-18)
------------------

* HTTP/2 termination is now supported natively. The Twisted dependency has been
  increased to at least 17.1 as a result; for more information about setting up
  HTTP/2, see the README.

* X-Forwarded-For decoding support understands IPv6 addresses, and picks the
  most remote (leftmost) entry if there are multiple relay hosts.

* Fixed an error where `disconnect` messages would still try and get sent even
  if the client never finished a request.


1.0.3 (2017-02-12)
------------------

* IPv6 addresses are correctly accepted as bind targets on the command line

* Twisted 17.1 compatability fixes for WebSocket receiving/keepalive and
  proxy header detection.


1.0.2 (2017-02-01)
------------------

* The "null" WebSocket origin (including file:// and no value) is now accepted
  by Daphne and passed onto the application to accept/deny.

* Listening on file descriptors works properly again.

* The DeprecationError caused by not passing endpoints into a Server class
  directly is now a warning instead.


1.0.1 (2017-01-09)
------------------

* Endpoint unicode strings now work correctly on Python 2 and Python 3


1.0.0 (2017-01-08)
------------------

* BREAKING CHANGE: Daphne now requires acceptance of WebSocket connections
  before it finishes the socket handshake and relays incoming packets.
  You must upgrade to at least Channels 1.0.0 as well; see
  http://channels.readthedocs.io/en/latest/releases/1.0.0.html for more.

* http.disconnect now has a `path` key

* WebSockets can now be closed with a specific code

* X-Forwarded-For header support; defaults to X-Forwarded-For, override with
  --proxy-headers on the commandline.

* Twisted endpoint description string support with `-e` on the command line
  (allowing for SNI/ACME support, among other things)

* Logging/error verbosity fixes and access log flushes properly


0.15.0 (2016-08-28)
-------------------

* Connections now force-close themselves after pings fail for a certain
  timeframe, controllable via the new --ping-timeout option.

* Badly-formatted websocket response messages now log to console in
  all situations

* Compatability with Twisted 16.3 and up


0.14.3 (2016-07-21)
-------------------

* File descriptors can now be passed on the commandline for process managers
  that pass sockets along like this.

* websocket.disconnect messages now come with a "code" attribute matching the
  WebSocket spec.

* A memory leak in request logging has been fixed.


0.14.2 (2016-07-07)
-------------------

* Marked as incompatible with twisted 16.3 and above until we work out why
  it stops incoming websocket messages working


0.14.1 (2016-07-06)
-------------------

* Consumption of websocket.receive is also now required.


0.14.0 (2016-07-06)
-------------------

* Consumption of websocket.connect is now required (channels 0.16 enforces
  this); getting backpressure on it now results in the socket being
  force closed.


0.13.1 (2016-06-28)
-------------------

* Bad WebSocket handshakes now return 400 and an error messages
  rather than 500 with no content.


0.13.0 (2016-06-22)
-------------------

* Query strings are now sent as bytestrings and the application is responsible
  for decoding. Ensure you're running Channels 0.15 or higher.


0.12.2 (2016-06-21)
-------------------

* Plus signs in query string are now handled by Daphne, not Django-by-mistake.
  Ensure you're running Channels 0.14.3 or higher.

* New --root-path and DAPHNE_ROOT_PATH options for setting root path.


0.12.1 (2016-05-18)
-------------------

* Fixed bug where a non-ASCII byte in URL paths would crash the HTTP parser
  without a response; now returns 400, and hardening in place to catch most
  other errors and return a 500.

* WebSocket header format now matches HTTP header format and the ASGI spec.
  No update needed to channels library, but user code may need updating.


0.12.0 (2016-05-07)
-------------------

* Backpressure on http.request now causes incoming requests to drop with 503.
  Websockets will drop connection/disconnection messages/received frames if
  backpressure is encountered; options are coming soon to instead drop the
  connection if this happens.


0.11.4 (2016-05-04)
-------------------

* Don't try to send TCP host info in message for unix sockets


0.11.3 (2016-04-27)
-------------------

* Don't decode + as a space in URLs


0.11.2 (2016-04-27)
-------------------

* Correctly encode all path params for WebSockets


0.11.1 (2016-04-26)
-------------------

* Fix bugs with WebSocket path parsing under Python 2


0.11.0 (2016-04-26)
-------------------

* HTTP paths and query strings are now pre-decoded before going to ASGI


0.10.3 (2016-04-05)
-------------------

* Error on badly formatted websocket reply messages


0.10.2 (2016-04-03)
-------------------

* Access logging in NCSAish format now printed to stdout, configurable to
  another file using --access-log=filename


0.10.1 (2016-03-29)
-------------------

* WebSockets now close after they've been open for longer than the channel
  layer group expiry (86400 seconds by default for most layers).

* Binding to UNIX sockets is now possible (use the -u argument)

* WebSockets now send keepalive pings if they've had no data for a certain
  amount of time (20 seconds by default, set with --ping-interval)


0.10.0 (2016-03-21)
-------------------

* Multiple cookies are now set correctly

* Follows new ASGI single-response-channel spec for !

* Follows new ASGI header encoding spec for HTTP


0.9.3 (2016-03-08)
------------------

* WebSocket query strings are correctly encoded


0.9.2 (2016-03-02)
------------------

* HTTP requests now time out after a configurable amount of time and return 503
  (default is 2 minutes)


0.9.1 (2016-03-01)
------------------

* Main thread actually idles rather than sitting at 100%

* WebSocket packets have an "order" attribute attached

* WebSocket upgrade header detection is now case insensitive


0.9 (2016-02-21)
----------------

* Signal handlers can now be disabled if you want to run inside a thread
  (e.g. inside Django autoreloader)

* Logging hooks that can be used to allow calling code to show requests
  and other events.

* Headers are now transmitted for websocket.connect

* http.disconnect messages are now sent

* Request handling speed significantly improved
