Kemal is a Fast, Effective, Simple web framework for Crystal.

Hello everyone,

Kemal 1.11.0 is out :tada: This release is focused on security hardening for multipart uploads and WebSocket connections. If you run Kemal in production, upgrading is strongly recommended :shield:

Chunked multipart limits :lock:

Multipart form parsing now respects safer limits for chunked bodies, closing a gap where very large fields could be abused (#748). Thanks @canermastan :pray:

You can cap the size of a single multipart form field (default is 8 MB):

Kemal.config.max_multipart_form_field_size = 8 * 1024 * 1024

Tune this to match your app (file uploads, API payloads, etc.) so legitimate traffic still flows while oversized fields are rejected early.

WebSocket origin validation :globe_with_meridians:

Browsers send an Origin header on WebSocket handshakes. Kemal can now validate that header against an allow list, so connections from unexpected sites are rejected (#749). Thanks @past3l :pray:

Kemal.config.websocket_allowed_origins = ["https://myapp.com", "http://localhost:3000"]

Use your real production origins (and local dev URLs) here. Without configuration, behavior stays compatible with existing apps; set the list when you want strict origin checks.

Full change history and PR links are in the CHANGELOG. Release tag: v1.11.0.

For end-to-end sample apps (blog, JSON API, WebSockets, OAuth, and more), see Kemal by Example on GitHub.

Thanks for using and supporting Kemal. You can help sustain development via GitHub Sponsors :pray:

Happy Crystalling :heart: