Skip to main content
mod_pagespeed 1.15 — Cyclone Cache, modernized optimizations, IIS + .NET support, and six years of security updates
2.0 1.15

Release Notes

mod_pagespeed 1.15 release notes — the maintained successor to the final open-source release (1.14.36.1, the last from the Apache incubator). Full version history, security and reliability updates.

On this page

mod_pagespeed 1.15 is the maintained, drop-in continuation of the Apache-lineage mod_pagespeed. The current release is 1.15.0 (package v1.15.0+r18). It is the direct successor to the final open-source release, 1.14.36.1 (August 2020) — the last release made under the Apache incubator — and is actively maintained and security-patched.

How releases work

Updates ship as package revisions of the current release; the latest is v1.15.0+r18. Each revision rolls up security, reliability, and feature work with no configuration change required, so update to the latest revision when it is available. Packages and install commands are on the Downloads page.

Two notes on version numbers:

  • The maintained line first shipped as 1.1.0 (GA on 2026-05-15, revisions r1–r24). On 2026-06-01 it was renumbered to 1.15.0 so that version comparisons against the open-source 1.14.x line sort correctly in apt, dnf, and control panels. Same product, same packages — only the number changed.
  • Security entries below describe the impact class and recommend updating; we keep exploit specifics out of public notes by policy. CVE identifiers are given where they concern bundled third-party components.
  • Many of the bug and security fixes below repair defects inherited from the open-source line — code that shipped in 1.14.36.1 or the historical ngx_pagespeed and was never fixed upstream. Entries note this where it is the case, so it is clear what was repaired relative to the last open-source release.

1.15.0 releases

Most recent first.

v1.15.0+r18 — 2026-07-11

Performance, caching, and correctness release, with security hardening across input validation and output escaping. Update recommended.

Performance

  • Cached resources are served with far less copying. Cache hits are now served from the memory-mapped cache by reference (CycloneZeroCopyServe) — on by default on nginx, and available as an experimental opt-in on Apache and IIS. A fully zero-copy direct-serve mode (CycloneZeroCopy) is also available as an experimental option (off by default).
  • Apache streams optimized resource responses instead of double-buffering them; nginx serves cached responses on HTTP/2 and HTTP/3 through a bounded copy ring, keeping per-request memory use bounded even for large responses.

Caching

  • The default file cache size is raised to 1 GB (was 100 MB). Cache files are sparse, so the larger default raises the ceiling, not the baseline footprint.
  • Optimization metadata and page properties are now stored in a dedicated small-object area on file caches of roughly 256 MB or larger, so heavy image traffic can no longer evict them — restarts stay fast even under load. Upgrade note: on caches at or above that size, the first restart after upgrading rebuilds the payload cache once (re-optimization proceeds normally; metadata is unaffected). Set FileCacheSmallTierPercent 0 to disable.
  • The cache’s RAM tier can now be sized independently of LRUCacheKbPerProcess via the new CycloneRamCacheKb directive (default 0: disabled — memory-mapped cache hits are already served from the OS page cache).
  • The bundled cache library receives a reliability batch: deterministic shutdown, a fix for a rare hash-collision case that could silently drop a cache entry, a tighter power-loss window (including on Windows), automatic recovery when a crash interrupts cache creation, and a lower memory footprint per cache stripe.
  • New cache observability counters on the admin console’s caches page.

Correctness and configuration

Configuration validation is stricter in this release; previously-accepted invalid configurations may now fail to load, which is intentional:

  • An invalid filter name in ?PageSpeedFilters= now consistently rejects the whole query — rejection was previously position-dependent, a quirk inherited from the open-source line.
  • Out-of-range values for bounded options now fail configuration load instead of being silently accepted (the open-source line never range-checked these): image qualities (-1..100), progressive JPEG scans (-1..10), RewriteRandomDropPercentage (0..100), HttpCacheCompressionLevel (-1..9), CentralControllerPort (1..65535).
  • The AddResourceHeader limit of 20 headers is enforced exactly.
  • Directive and option-scope matching is now case-consistent across all server platforms, so scope enforcement can no longer be sidestepped by casing (on Apache and nginx this behavior dates back to the open-source releases).
  • The legacy JavaScript minifier (used when UseExperimentalJsMinifier is off) now passes files containing template literals through unmodified instead of corrupting them — the minifier predates ES2015 template literals, and the corruption affected every open-source release.

Critical CSS and Content-Security-Policy

  • prioritize_critical_css and other script-injecting filters now honor a restrictive Content-Security-Policy when HonorCsp is enabled, backing off instead of injecting scripts the policy would block; the CSP policy engine received a set of correctness fixes.
  • Inlined critical CSS preserves stylesheet charset fidelity and link attributes, and handles @import/@keyframes rules correctly.
  • The critical-CSS beacon is viewport-aware, and beacon truncation is now observable in statistics instead of silently starving extraction.
  • lazyload_images gains a native mode that emits loading="lazy" on below-the-fold images instead of injecting the JavaScript loader.

IIS

  • Fixed a defect in the loopback fetcher where a sub-resource fetch that completed asynchronously could be treated as an empty response, suppressing optimization of the parent page for five minutes at a time. Update recommended for IIS deployments.
  • Configuration parsing is hardened: a malformed configuration line can no longer crash the module at startup, unknown options are reported instead of silently ignored, and option scoping is enforced on IIS as on the other platforms.

Security

  • Hardened input validation and output escaping across the rewriter, beacon handling, and configuration parsing. The underlying gaps date back to the open-source line (1.14.36.1 and earlier). No exploitation is known; update recommended.
  • The bundled HTTPS fetch library is updated to curl 8.21.0, which addresses a batch of recently published curl vulnerabilities.

Reliability

  • Fixed a worker-pool defect where a work sequence could be recycled while work was still queued (present since the Google-era code); nginx scheduler alarms are now driven from the event loop; the experimental native fetcher (UseNativeFetcher) gains native TLS support.

v1.15.0+r17 — 2026-07-05

Caching, reliability, and security maintenance. Update recommended.

  • Cache persistence across restarts. Optimization metadata and page properties are written through to the disk cache and survive server restarts, so a deploy or restart no longer triggers a re-optimization spike. (The open-source line kept these caches warm only via periodic snapshots, with a loss window.)
  • Reliability. Shutdown-ordering fixes on nginx and IIS eliminate a class of rare crash-on-exit conditions; an IIS initialization race is fixed.
  • Security. A memory-safety hardening fix in nginx request handling (a defect inherited from the open-source ngx_pagespeed), and the ASP.NET Core sidecar’s bundled nginx moves to 1.30.3 (CVE-2026-42055, CVE-2026-48142).
  • Experimental. The opt-in AI-crawl counter for Web Bot Auth reaches parity with ModPageSpeed 2.0, including verification of real-world signers.

v1.15.0+r16 — 2026-06-30

  • Reliability. Fixed a crash-on-exit condition on Apache (a shutdown-order problem between worker threads and static destruction).
  • Licensing. The admin console now shows a notice when active instances exceed the licensed count. Optimization is unaffected.
  • Dependencies. Defense-in-depth security updates to bundled third-party code.

v1.15.0+r15 — 2026-06-24

Security-hardening release. Update recommended.

  • Binary hardening of the shipped modules — full RELRO, immediate binding, stack protector, and fortified libc calls — now asserted at release time.
  • Fixed a robustness issue in CSS parsing of malformed input (a defect dating back to the Google-era CSS parser).
  • Reduced attack surface: several legacy, unmaintained third-party components were removed from the build, and public-suffix handling moved to the actively maintained libpsl.
  • Bundled native dependencies are continuously monitored for published vulnerabilities.

v1.15.0+r11 – r14 — 2026-06-21/22

Feature, security, and packaging roll-up (r12–r14 contain no additional product changes).

  • Verified AI-crawler controls (experimental, off by default). Web Bot Auth (RFC 9421) signature verification with an observe-only mode, and optional capability-token (RSL-CAP) enforcement — matching ModPageSpeed 2.0.
  • Content Credentials (C2PA) preservation (experimental, off by default). Image optimization can carry provenance metadata through instead of stripping it.
  • Security. Two validation gaps in the crawler-signature verifier were closed (it now fails closed); TLS enforcement on IIS internal HTTPS sub-resource fetches is hardened (update recommended for IIS); new bounds on request header count and HTML nesting depth (the Google-era parsers had no limits); admin-console dependency updates.
  • Reliability. IIS null-pointer fixes in response handling and cache-policy writes.
  • Licensing. License-status diagnostics now distinguish an unreadable license file from a missing one.
  • Packaging. New RHEL / AlmaLinux / Rocky 10 channel (x86_64), and an aarch64 nginx-module RPM for EL9.

v1.15.0+r10 — 2026-06-11

  • Licensing. The admin console purchase flow moves to per-site licensing.

v1.15.0+r9 — 2026-06-10

  • IIS reliability. Fixed a memory-safety defect and a resource leak on module unload (app-pool recycle). Update recommended for IIS deployments.

v1.15.0+r7, r8 — 2026-06-08/09

nginx packaging quality. Ubuntu modules are rebuilt against Ubuntu’s own patched nginx source — fixing load failures after Ubuntu’s security update for CVE-2026-49975 changed the nginx ABI — and the module now carries a runtime ABI guard that reports a mismatched nginx binary instead of failing unpredictably. EL9 gains an nginx-module RPM built against the distro nginx.

v1.15.0+r3 – r6 — 2026-06-04/08

Packaging expansion (r5–r6 contain no additional product changes).

  • Prebuilt, signed nginx module packages for Debian 11/12/13 and Ubuntu 22.04 via the apt/yum repositories.
  • ASP.NET Core sidecar ships as a NuGet package (WeAmp.PageSpeed, preview).
  • EL8 / CloudLinux 8 EasyApache 4 support restored, alongside EL9.
  • Build/test baseline nginx moves to 1.30.2 (CVE-2026-9256); shipped binaries are leaner (unused components are no longer compiled in).
  • Install and configuration guides were corrected and expanded.

v1.15.0+r2 — 2026-06-01

  • cPanel / EasyApache 4. Package versioning fix so the We-Amp ea-apache24-mod_pagespeed reliably takes precedence over same-named packages from other sources.

v1.15.0 — 2026-06-01

The renumber release. The product version becomes 1.15.0 — the direct successor to the final open-source 1.14.36.1 — so that package managers and control panels order it after the open-source line. Package names, repositories, and configuration are unchanged; the X-Mod-Pagespeed response header reports 1.15.0.0.

One functional change: the trial-license endpoint was removed. Licensing had already moved to the always-functional model (see 1.1.0+r23 below), which makes a separate trial gate unnecessary — an unlicensed install simply keeps working.

1.1.0 releases (before the renumber)

The same product line, shipped under its original number. The original 1.1.0 download paths remain frozen and valid.

v1.1.0+r23, r24 — 2026-05-31 / 2026-06-01

  • Always-functional licensing. The engine now always optimizes regardless of license state. An unlicensed install signals its state with a response header on optimized pages and an amber console notice — it is never functionally degraded. Licensed installs never flash the notice across worker restarts or renewals (a 72-hour renewal grace applies). Console copy updated to match.

v1.1.0+r22 — 2026-05-29

Security and reliability hardening release, the result of a dedicated audit pass. Update recommended.

  • Fixed a remotely triggerable crash condition (denial-of-service class) on nginx — a defect inherited from the open-source ngx_pagespeed, which remains unfixed there.
  • New opt-in StrictAdminAccess directive on Apache and nginx: admin, statistics, and console access is decided on the validated client IP and never on client-controlled headers. (IIS already gates admin access to loopback.)
  • Safer license-file handling on all platforms.
  • ASP.NET Core sidecar hardening: admin endpoints bind to loopback, tighter configuration-file permissions, and tokens are kept out of logs.
  • IIS: two lock-handling fixes and correct IPv6 address reporting.
  • Redis: fixed a crash at startup when a database index is configured, and reduced per-command overhead (both defects date to the open-source line, 2017).

v1.1.0+r18 – r21 — 2026-05-25/27

  • Reliability. Cache-library update: Apache graceful restarts no longer leak scoreboard slots, and nginx -s reload no longer hangs — both were process-lifecycle defects in cache teardown.
  • Security. Admin-console dependency updates clearing 13 published advisories (4 high, 9 medium).
  • Packaging. The signed apt/yum repositories for the nginx module go GA, with per-distro builds pinned to each distro’s stock nginx and blocking load, symbol, and optimization smoke gates. The EasyApache 4 configuration now degrades gracefully if the module file is absent instead of breaking Apache startup.

v1.1.0+r9 – r17 — 2026-05-21/22

IIS quality wave (r12–r17 contain no product changes). Update recommended for IIS deployments.

  • Fixed crashes in the IIS URL fetcher and in lock handling.
  • Admin endpoints are default-deny in the shipped sample configurations, and the module logs a warning when an admin handler receives a non-loopback request.
  • Smoother installation: per-site cache and log directories are auto-created with safe permissions (new AutoCreateLogDir directive), initialization failures surface as specific X-Pagespeed-Init-Status values with per-failure error pages, and the MSI grants the required ACLs.
  • Upgrading from IISpeed: an existing iiswebspeed.config is picked up automatically when no pagespeed.config is present.

v1.1.0+r1 – r8 — 2026-05-19/21

Packaging and distribution (most of these revisions contain no product changes).

  • First cPanel / EasyApache 4 channel: ea-apache24-mod_pagespeed RPMs.
  • The +rN package-revision scheme is established (mapping to the RPM Release field and the deb revision).

v1.1.0 — GA — 2026-05-15

The first We-Amp release of the maintained line: the direct successor to the final open-source release, 1.14.36.1 (August 2020). Everything below is relative to that baseline — in particular, the security and reliability fixes repair defects that were present in the final open-source release, not regressions in this line. See What’s new in 1.15 for the narrative version.

Security

  • All bundled image codecs and network libraries updated across six years of upstream security work: libwebp 1.5.0 (includes the fix for CVE-2023-4863, the widely exploited WebP heap overflow), libjpeg-turbo 3.1.x, libpng 1.6.58, and a modern TLS stack. The HTTPS fetcher was replaced with libcurl at a current release, clearing a 12-CVE backlog in the process, and nginx module builds moved to a 1.30.x baseline covering the May 2026 nginx CVE cluster.
  • Memory-safety fixes and hardening throughout image processing.
  • Admin-surface hardening throughout: constant-time token comparison, strict validation of cache-purge request parameters, CSRF protection and security headers on the admin and licensing endpoints, and mutating endpoints restricted to the global admin.
  • Bounded resource consumption on untrusted input: response-size and header-size caps in the fetcher, an HTML parser that stops at its size limit instead of accumulating without bound, and graceful error handling where malformed input could previously abort the process.
  • On IIS, internal HTTPS fetches validate certificates by default.
  • Release integrity: all packages are GPG-signed with a published key, and the Windows binaries (DLL and MSI) carry timestamped Authenticode signatures.
  • Development is backed by continuous sanitizer testing (AddressSanitizer, ThreadSanitizer, and Application Verifier on Windows).

Reliability

  • Fixes for long-standing crash and data-race conditions in the asynchronous rewrite lifecycle, the proxy fetch path, and cache write-ordering (a large-cache outage could previously produce persistent misses).
  • Graceful degradation replaces hard process aborts on recoverable conditions.
  • Many platform-specific stability fixes; see the per-platform notes below.

Cyclone Cache — the new disk cache

  • The original file-based cache is replaced by Cyclone Cache: a fixed-size, memory-mapped, scan-resistant cache shared safely across processes, with no periodic cleanup passes and a persistent index, so restarts start warm.
  • Fully configuration-compatible: FileCachePath keeps working and now locates the Cyclone cache; obsolete tuning options are accepted as deprecated no-ops with a warning.
  • The rest of the cache stack is unchanged: LRU cache, shared-memory metadata cache, Redis, and Memcached all remain.

Modernization

  • The build moved from GYP to Bazel, with the core on modern C++ (C++20/23) and all dependencies pinned and vendored; the source tarball builds fully offline.
  • Prebuilt, signed packages replace compile-it-yourself: deb and RPM for Apache, a prebuilt dynamic module for stock nginx, and an MSI for IIS.
  • arm64/aarch64 support added on Linux; 32-bit x86 dropped; Apache 2.2 dropped (2.4+ only); the Google-era stable/beta/unstable channel split collapsed into a single mod-pagespeed package.

Apache

  • A single mod_pagespeed.so for Apache 2.4+, installed the same way as before (a2enmod pagespeed, same configuration layout). Bundled TLS symbols are hidden from the host process to prevent library clashes.

nginx

  • ngx_pagespeed is now maintained in-tree and shipped as a prebuilt dynamic module loadable into stock nginx 1.26/1.27 with load_module — no more compiling nginx from source.

IIS — the IISpeed successor

  • A new native IIS module (pagespeed_iis.dll) for IIS 10+ replaces IISpeed, built on the IISpeed codebase and brought to parity with the Linux platforms (streaming HTML rewriting, in-place resource optimization, per-site configuration, the shared admin console).
  • Existing IISpeed installs migrate in place: the module reads pagespeed.config and falls back to an existing iiswebspeed.config; admin pages live at the standard /pagespeed_admin paths.
  • Ships as a signed MSI with clean upgrade and uninstall support.

Licensing

  • 1.1.0 introduced commercial licensing with in-console trial, activation, and renewal flows and a 72-hour renewal grace period. (Since 1.1.0+r23, licensing is always-functional: an unlicensed install keeps optimizing and is signaled, never blocked.)

What stayed the same

  • All configuration directives, the full filter set (40+ filters), .pagespeed. resource URLs, in-place resource optimization, the admin and statistics endpoints, .htaccess support on Apache, and the X-Mod-Pagespeed / X-Page-Speed response headers. Obsolete Google-era options (update channels, distributed rewriting) are accepted as no-ops with a warning rather than breaking startup.

Security updates

mod_pagespeed 1.15 is actively security-maintained. All known CVEs from the open-source mod_pagespeed project have been resolved, and the maintained line has had substantial additional security and robustness work since it took over from the final open-source 2020 release. We recommend running the latest release.

At a high level, that work spans:

  • Memory-safety hardening across the engine and request-handling paths, backed by continuous sanitizer testing on every platform.
  • Robustness against malformed or oversized input — untrusted content and abnormal conditions are handled gracefully instead of crashing or exhausting resources.
  • Admin-surface hardening — stricter authentication, safer defaults, and improved resilience of administrative and reporting endpoints to malformed or unauthorized external requests.
  • Binary hardening of the shipped modules (RELRO, BIND_NOW, stack-protector, FORTIFY_SOURCE) and a reduced attack surface.
  • Ongoing dependency updates, including image codecs, the bundled HTTPS fetch library, and tracking upstream nginx security releases, gated by continuous CVE scanning.

We keep these descriptions general by design: security entries state the impact class and the recommendation, not the mechanism. If your servers run an older open-source mod_pagespeed build, moving to 1.15 is the supported way to get all of the above.

Reporting a security issue

Found a security problem? Please email info@we-amp.com so we can investigate and ship a fix.