Base Software Versions


PHP R16.3 (2024-07-15)

  • Fixed ImageMagick HEIC/HEIF support in PHP 8.1/8.2/8.3 bases

PHP R16 (2024-04-26)

  • Bumped PHP versions to 8.1.28 / 8.2.18 / 8.3.6
  • Added full support for mysql 8 pending database upgrades for Craft 5


  • PHP 8.3 support

PHP R14.3 (2023-12-03)

  • Bumped PHP versions to 8.2.13 / 8.1.26
  • Asked PHP not to advertise its version in response headers when using non-Craft php scripts

PHP R14.2 (2023-10-03)

  • Updated libwebp to mitigate against webp CVE-2023-4863. Note that the only way this would be potentially exploitable within a Craft project is if end users were able to upload specially crafted webp images and these were fed into ImageMagick or GD as part of the upload process. But best to get it patched anyway!

PHP R14.1 (2023-09-28)

  • Added avif support to GD in 8.1 and 8.2
  • Bumped PHP versions to 8.2.10 / 8.1.23 / 8.0.30

PHP R14.0 (2023-05-18)

  • PHP 8.2.6 release
  • Updated other PHP versions to 8.1.19 / 8.0.28 / 7.4.33
  • Update PHP 8.1 to latest official PHP Alpine 3.18 bases

PHP R13.4 (2023-03-28)

  • Updated our PHP 8.1 version from 8.1.12 to 8.1.17

PHP R13.2 (2022-11-03)

  • Fix for missing language info in R13

PHP R13 (2022-11-02)

  • Allows for modular bundle builds for additional software including profiling tools, node etc
  • Updated PHP to 7.4.32 / 8.0.25 / 8.1.12

PHP R12 (2022-05-25)

  • Updated PHP to 7.3.33 / 7.4.29 / 8.0.19 / 8.1.6
  • Updated iconv config to use new configuration provided by official PHP releases
  • Latest New Relic agent

PHP 8.1 R11.1 (2022-03-08)

  • Added New Relic agent to PHP 8.1 base images

PHP 8.1 R11 (2022-02-17)

  • Initial PHP 8.1 release, currently in Beta
  • This 8.1 release does not contain New Relic monitoring which is not yet compatible with PHP 8.1

PHP R11 (2022-01-31)

  • Switched Imagick on PHP 8.0 to use PECL packages rather than compiling from a specific commit
  • Added initial support for New Relic performance profiling
  • Added initial support for Blackfire performance profiling

These new base images contain a newer version of Imagick which is incompatible with old versions of the package pixelandtonic/Imagine composer package.

Please ensure your pixelandtonic/Imagine package has been updated to at least version

Alternatively you can tell Craft to use the GD library by adding 'imageDriver' => 'gd' to your config/general.php file.

More details here:

PHP R10.5 (2021-12-20)

  • Fixes a bug introduced by the changes to permissions which could cause the background task runner to not execute correctly.

PHP R10.4 (2021-12-16)

  • Updated PHP to 7.3.33 / 7.4.26 / 8.0.13
  • Adjusted the configuration of the www-data user in preparation for an upcoming change to container filesystem and access permissions

PHP R10.3 (2021-09-07)

  • Updated PHP to 7.3.30 / 7.4.23 / 8.0.10
  • Added nano so that it can be used for runtime debugging within shells

PHP R10.2 (2021-04-25)

  • Updated Composer 2 to version 2.0.12 to support new GitHub access token formats

PHP R10.1 (2021-03-09)

  • Bug fix for Shell sessions

PHP R10 (2021-03-07)

  • Updated PHP to 7.3.27 / 7.4.16 / 8.0.3
  • Support for upcoming SSH access functionality

PHP R9.2 (2021-01-07)

  • Removed default no cache headers which could interfere with static caching when also using origin cache control headers
  • Initial beta release of PHP 8 base images

PHP 7.x R9.1 (2021-01-31)

  • Rolled back the iconv library to an earlier version as the latest was causing issues in some circumstances

PHP 7.x R9 (2021-01-28)

  • Allowed switching between Composer 1 and 2 during the bundling process

PHP 7.x R8 (2020-11-25)

  • Updated to PHP 7.3.24 and 7.4.12
  • Added binaries for webp image conversions
  • Added various image optimisation binaries
  • Removed disabled function set_time_limit - the platform will kill anything that locks up completely for 2 mins so it shouldn't be needed

PHP 7.x R7 (2020-08-02)

Updated imagemagick binaries and tweaked resource limits to prevent image conversions being killed due to over-allocating

PHP 7.x R6

Increase number of requests served by each PHP worker before recycling

Bump PHP versions to 7.4.8 / 7.3.20

PHP 7.x R5

Increased default max_input_vars to 10000

PHP 7.x R4

Increased default max upload size to 128MB

PHP 7.x R3

Added postgres support and bumped PHP to version 7.4.1 / 7.3.13.

PHP 7.x R2

Added additional dependencies required for Composer to install external packages using Git.

PHP 7.4 R1

Initial PHP 7.4 release. Contains PHP 7.4.0 along with other updated dependencies.

PHP 7.3 R1

Updated PHP to 7.3.11 which addresses CVE-2019-11043.

We advise that you update all of your projects to this base version immediately.

Nginx #

R18 (2024-03-12)

Switched static cache software to a forked version with some added bug fixes, including ordering of Vary key params to avoid unnecessary duplicate caches of the same URL.

R17 (2024-02-21)

Upgrade to nginx 1.25

Added an explicit block on the X-Redirect-Url request header

R16 (2023-09-10)

Upgraded to nginx 1.21.

Added a potential fix for a caching edge case in which cache results would get mixed up when specific server errors occurred

R15.2 (2022-11-03)

Added BunnyCDN to the list of 'trusted' proxies

R15.1 (2022-10-27)

Tweaked the way URIs are passed from nginx to PHP to appease a Blitz expectation.

R15 (2022-10-18)

Added the ability to restrict path redirects to specific domains.

R14.6 (2022-09-09)

Added some documentation to the robots.txt file which is returned when using a domain.

R14.5 (2022-06-30)

Added the ability to apply headers at the nginx level, as opposed to in twig templates.

R14.4 (2022-06-14)

Added the ability to configure static file cache headers and blocking of common vulnerability scan URLs (/wp-admin etc)

R14.3 (2022-05-03)

A fix for CORS headers on static files

R14.2 (2022-03-07)

Fixed a bug which could prevent users who were logged into the Craft CP from being able to request static files if static caching was enabled

R14.1 (2022-01-06)

Added support for handling webmanifest files with appropriate mime type.

R14.0 (2021-12-19)

Refactored how users and groups are used to enable fully-rootless execution.

R13.13 (2021-12-09)

Fixed a bug which prevented CORS headers from being returned for static files, including font files which benefit from CORS when working over multiple origins.

R13.12 (2021-11-16)

Fixed a bug in which the SCRIPT_FILENAME environment variable passed from nginx could contain double slashes for some requests which upset Craft's action urls.

R13.11 (2021-06-22)

Allows the behaviour of trailing slashes to be configured from the Servd dashboard

R13.10 (2021-06-08)

Removed some malware prevention rules which were getting in the way of real traffic.

R13.9 (2021-04-27)

Updated Cloudflare IP ranges for the proxy whitelist and real-end-user IP detection functionality.

R13.8 (2021-03-24)

Added additional rules for handling standalone php files and subfolder index.php files.

R13.7 (2021-03-02)

Increases the nginx max body size to 512MB, allowing PHP to make the call on how large the max body should be up to this limit.

R13.6 (2021-02-23)

Changed a redirect which applied to common Wordpress attack paths from a 301 to a 404.

R13.5 (2021-01-30)

Improved memory usage of nginx when static caching is enabled

R13.4 (2021-01-21)

Fixed a bug which would break URLs which had the word 'php' in the path, as long as it was in the first segment of the path and wasn't at the very start or very end. I kid you not...

R13.3 (2021-01-12)

Tweaks to response header configuration to default the following:

X-Content-Type-Options nosniff

X-XSS-Protection "1; mode=block"

Also prelim work to allow customisation of X-Frame-Options

R13.1 (2021-01-07)

Bugfix to prevent users who are logged into the Craft control panel receiving HTML cached by non-admin users.

R13 (2021-01-06)

Complete rewrite of the nginx configuration to support:

  • Complex static cache invalidation strategies, including wildcard patterns
  • Thundering herd protection during cache expiry
  • Configurable CORS headers
  • Arbitrary path level redirects
  • Ability to use server-side cache control headers to determine static cache validity
  • Functionality to maintain a full static copy of a website, stored in S3 which can act as a failover if the Servd platform encounters any issues

Plugin and dashboard updates will be arriving soon to allow you to configure all of this great new stuff.

R12 (2020-10-15)

Improved nginx configuration for high traffic sites


Added 30d cache headers to web font file types


Updated to Nginx 1.17.8

Switched rate limited HTTP response code from 503 to 429 to make it more obvious what's happening in this circumstance

Disable server token output


Fixed a couple of redirects which remove trailing or duplicate slashes in the URL. They previously always redirected to http:// now they redirect to whatever protocol was used in the original request.


Updated the default log format to something more akin to Nginx's standard output

Prevented requests for favicon.ico being forwarded to Craft. Browsers love them, nobody uses them, resulting in lots of 404s and wasted CPU


Added support for IP blacklist and whitelist, and rate limiting


A few bug fixes related to the new caching mechanism


Updated static caching to use a global cache pool rather than having individual caches per app instance.


Increased default max upload size to 128MB


Added support for domain level redirects


Improved reliability and performance of assets served from Craft's cpresources directory