LiquidFiles Documentation
LiquidFiles Documentation

Release Notes Version 4.3.x

Major changes from version 4.2 to version 4.3

  • The Admin Dashboard has been redesigned and System Status page has been significantly expanded with comprehensive network diagnostics. New checks include outgoing HTTPS connectivity to LiquidFiles services, Ubuntu repositories, ClamAV mirror reachability, DNS server responsiveness, LDAP server connectivity and authentication, mail queue status, and a configurable TCP packet quality test. All checks run asynchronously with clear pass/fail indicators and troubleshooting guidance.
  • Added support for Microsoft Office 365 as an email relay using OAuth2 authentication (Device Code Flow). This replaces the need for basic SMTP credentials, which Microsoft has been deprecating. Administrators configure their Microsoft Entra tenant ID and Client ID, then complete a guided authorization flow.
  • Comprehensive accessibility overhaul to meet WCAG Level A and AA compliance. Includes skip navigation links, semantic HTML elements, keyboard-accessible tooltips and popovers, screen reader support with ARIA attributes, proper form labels, table header scoping, image alt text, and correct heading hierarchy.
  • Added session timeout warning with a countdown popup that lets users extend their session or re-authenticate with their password, TOTP code, or SMS token after expiry without losing their work.
  • Added secondary admin re-authentication. Administrators are now required to re-authenticate before accessing /admin and /system pages, providing defense-in-depth against session hijacking. Supports password, SAML email verification, and strong authentication (TOTP, SMS, Duo). Includes a configurable session timeout with an expiry warning modal. API access is not affected.
  • Restructured locale system now ships with 20 pre-translated languages. New sticky search/filter bar in the locale editor for quickly finding translation keys. Locale key remapping automatically migrates existing customizations when keys are reorganized.
  • Added configurable filename sanitizer to protect against malicious or problematic filenames. Applies multiple layers of protection including stripping invalid UTF-8 bytes, recursive percent-encoding decode, HTML entity decoding, and tag stripping. The sanitization pattern is configurable with regex validation and ReDoS protection.
  • Security: Added Cross-Origin-Resource-Policy (CORP), Cross-Origin-Opener-Policy (COOP) and Cross-Origin-Embedder-Policy (COEP) headers to all responses for cross-origin isolation. Added X-DNS-Prefetch-Control header to prevent DNS prefetching leakage. Added Clear-Site-Data header on logout to ensure complete cookie cleanup. Added Retry-After and X-RateLimit headers on brute force protection responses. Removed the legacy X-Frame-Options header for Outlook responses where it conflicted with the CSP frame-ancestors policy. See Frequent Responses after Security Reviews for details.
  • Security: SSO signature verification now uses constant-time comparison to prevent timing attacks.
  • Added Certificate API for managing SSL/TLS certificates programmatically. Enables external certificate automation tools (certbot, Venafi, internal PKI, etc.) to view and upload certificates via the REST API using a Sysadmin API key.
  • Added Bearer Token authentication as the preferred API authentication method. API clients can now use Authorization: Bearer <api_key> instead of HTTP Basic Auth. Both static and expiring API keys are supported. HTTP Basic Auth remains available for backward compatibility.
  • API clients now receive JSON-formatted error responses from nginx error pages instead of HTML, covering maintenance pages and HTTP errors 400, 403, 404, 405, 422, 429 and 500.
  • Fixed Outlook add-in authentication on browsers that block third-party cookies. Previously, the Outlook add-in set its authentication cookie inside a dialog window, which modern browsers (Safari, Firefox, and Chromium-based browsers with strict cookie policies) would silently discard as a third-party cookie — preventing users from logging in. Authentication now uses a secure one-time code handoff: after the user logs in via the dialog, a short-lived single-use code is passed back to the Outlook task pane, which exchanges it for an authentication cookie in its own browsing context. This ensures the cookie is always set as a first-party cookie, making login work reliably across all browsers. The exchange codes expire after 2 minutes and include brute-force protection.
  • Updated internal functions like Ruby and libraries to later versions.
Also, please see the Incompatibilities and Warnings section below before updating from LiquidFiles v4.2 and earlier.

Version 4.3 Beta 1 (4.2.51) (released 2026-04-13)

Including all fixes from v4.3.x plus:

  • Initial Release of v4.3 Beta.

Incompatibilities and Warnings

These are a few things you need to be aware of when updating to LiquidFiles v4.3.

API Changes

Bearer Token authentication (Authorization: Bearer <api_key>) is now the preferred method for API authentication. HTTP Basic Auth continues to work but is deprecated and will be removed no earlier than April 2027. We recommend updating your API clients to use Bearer Token authentication. See the API Authentication documentation for details.

API clients sending Accept: application/json will now receive JSON-formatted error responses ([{"error": "..."}]) from nginx error pages instead of HTML. This includes maintenance pages and HTTP errors 400, 403, 404, 405, 422, 429 and 500.