> ## Documentation Index
> Fetch the complete documentation index at: https://figranium.dev/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Changelog

> Product updates and new features in Figranium.

Stay up to date with the latest changes to Figranium. For documentation changes, see the source repository directly.

<Update label="2026-06-29" description="This week">
  ## Updates

  ### Expanded PostgreSQL storage

  PostgreSQL is now a first-class backend for nearly all Figranium configuration, not just tasks and logs.

  * **More data in Postgres**: proxy configuration, saved credentials, AI model selections, and Ollama API keys are now persisted in the database when `DB_TYPE=postgres`.
  * **SSL support**: a new `DB_POSTGRESDB_SSL=true` environment variable enables encrypted connections to managed Postgres providers (RDS, Cloud SQL, Supabase, Neon, etc.).
  * **Longer API keys**: API key columns are now `TEXT` instead of `VARCHAR(255)`, and existing tables are migrated automatically on startup.
  * **Graceful fallback**: if the database is unreachable at startup, Figranium falls back to file-based storage.

  See [PostgreSQL Support](/database-support) for the full configuration reference.

  ### Expanded SSRF protection

  The default SSRF blocklist now covers a much broader set of internal and reserved network addresses, hardening Figranium against requests that target internal infrastructure.

  * **More IPv4 ranges blocked by default**: in addition to RFC 1918 private ranges and loopback, Figranium now blocks IETF protocol assignments (`192.0.0.0/24`), TEST-NET ranges, benchmarking (`198.18.0.0/15`), shared CGN space (`100.64.0.0/10`), multicast, and other reserved space.
  * **Full IPv6 coverage**: loopback (`::1/128`), unique local (`fc00::/7`), link-local (`fe80::/10`), unspecified, and multicast ranges are blocked.
  * **Hostname blocking**: `localhost`, `*.localhost`, and `host.docker.internal` are blocked unless `ALLOW_PRIVATE_NETWORKS=true`.
  * **Proxy server validation**: proxy URLs added through Settings or the API are validated against the same blocklist. Invalid entries are rejected with `INVALID_URL`, and bulk imports fail atomically if any entry is unsafe.
  * **Ollama URL validation**: Ollama base URLs are validated both at save time and again at request time, with every redirect hop re-checked and sensitive headers stripped on cross-origin redirects.
  * **Output provider credentials**: `baseUrl` values (e.g. Baserow) are validated when credentials are saved, rejecting unsafe URLs with `INVALID_BASE_URL`.
  * **Redirect protection**: outbound webhook and output provider requests now validate every hop in an HTTP 3xx chain (up to 5 redirects).

  What this means for you: if you previously pointed Figranium at a service on `localhost`, `host.docker.internal`, or any private network, you'll need to set `ALLOW_PRIVATE_NETWORKS=true` for local development. Production deployments are protected by default with no configuration required.

  See [Security](/security) for the full list of blocked ranges and configuration details.

  ### Gemini API key transport

  Gemini API keys are now sent via the `x-goog-api-key` HTTP header instead of the `?key=` query parameter, preventing keys from leaking through server access logs, reverse-proxy logs, or `Referer` headers. No configuration is required.

  If you previously relied on the `?key=` form for log inspection or proxy filtering, update your tooling accordingly.
</Update>
