The FreshRSS team has just unveiled version 1.27 of this popular self-hosted RSS feed aggregator, introducing some new features, security improvements, and technical updates.
Among the most notable new features is the added support for handling HTTP status codes like 429 Too Many Requests and 503 Service Unavailable, along with proper use of the “Retry-After” header.
The update also makes it easier to organize and search feeds, thanks to new sorting options by category or feed title, and a search operator (c:) that allows filtering by categories. Regarding customization, users can now add custom feed favicons, plus there is a reworked favicon fetching designed to reduce unnecessary network requests.
On the technical side, FreshRSS has begun supporting PHP 8.5+, with its Docker alternative image already shipping Alpine 3.22 and PHP 8.4. Meanwhile, the default Debian-based Docker image has been refreshed to PHP 8.2, with PHP 8.4 support promised soon.
On the security side, FreshRSS now includes a reauthentication “sudo mode” for sensitive actions, stricter Content-Security-Policy headers (including frame-ancestors enforcement), and safeguards like cookie regeneration after logout and requiring the current password before setting a new one.
Additionally, access checks and permission fixes across user and feed-related actions further tighten the platform’s defenses.
Beyond that, the release squashes a range of bugs, including issues with feed scraping, WebSub redirection, XML encoding, and support for feeds encoded in UTF-16LE. Improvements to the bundled SimplePie library also ensure more consistent handling of edge cases in feed parsing.
For developers and extension authors, FreshRSS 1.27 expands the extension API with new hooks and endpoints, making integrations easier. Lastly, the UI has also seen some polish with updates to chart.js, better lazy-loading behavior, and refinements to confirmation dialogs and styling.
For more information, see the changelog.
