CTFd 3.7.6

CTFd 3.7.6 has been released with a security configuration improvement.

The TRUSTED_HOSTS config setting has been added to config.ini to restrict CTFd to trusted hostnames. This can help prevent attacks against CTFd when CTFd has been deployed without a reverse proxy (e.g. nginx) or if that reverse proxy has been misconfigured.

The TRUSTED_HOSTS configuration is not intended to replace a reverse proxy, but it is there to act as an additional layer of defense. It is always recommended to deploy CTFd behind a reverse proxy such as nginx.

We are backporting the TRUSTED_HOSTS setting from more recent versions of Flask while we work towards updating our Flask version.

Typically this kind of configuration would be handled at the reverse proxy layer like a local nginx configuration or an upstream proxy such as Cloudflare.

CTFd is used in many different settings with many different requirements and it isn't straightforward for us to provide a single proxy configuration that meets the needs of all users.

For example, nginx does not automatically configure HTTPS and has not generally been configurable by environment variables. As such our position has always been that the proxy configuration for self-hosted users is the responsibility of the installer.

However, we acknowledge that an installer may inadvertently misconfigure or omit the reverse proxy and the TRUSTED_HOSTS setting will help mitigate that possibility.

In the future, we will aim to provide more examples for the reverse proxy configuration and explore automatic configuration of the reverse proxy to assist self-hosted users in their setup. We absolutely welcome PRs that support this endeavor.

We recommend all CTFd users update their instance to v3.7.6.

v3.7.6 has already been deployed to Hosted CTFd customers. Self-hosted users can download the latest version of CTFd from GitHub.