I would absolutely advocate for re-adding X-Content-Type-Options: nosniff as long as we don't have a way to set headers directly in the Security Settings of Cloudron Apps (like we can with CSP headers). That header still provides meaningful protection against MIME-sniffing attacks and has widespread browser support. Afaik, X-Permitted-Cross-Domain-Policies is still used by Acrobat (which is unfortunately far from dead), but I agree it's fair to remove it from the default configuration since it's an edge-case.

Bump! Please upvote if you think a configureable timeout for Cloudron SSO would add value to the platform. Currently I am using PIN code verification via Cloudflare Access as a workaround, but ofcourse this only works if the domain is proxied by Cloudflare.

@james said: @robi said: It would be nice if they could be hosted by the local registry app. The docker images? That should already work and is close to my above suggestion with a private registry. You'd just need to configure the docker registry in the Cloudron dashboard under /#/docker. I believe what @robi meant is to be able to store the CloudronVersions.json in a registry, much like what authentik does with blueprints.

@girish That is fantastic news, looking forward to it. thank you cloudron team!

Hello @tobiasb Good suggestion. I ask myself, is the manifest the correct singular location for this config? Maybe we set the initial value via the manifest but also allow a custom value in the service overview from the dashboard. But at least adding this to the manifest should be doable.

The obvious is Vercel dev'd app self hosted here.

@timconsidine you can toggle visibillity for apps that have their own user management. If you use an SSO app, there is "user management" which manages access (and therefore an visible dashboard icon) but "dashboard visibility" is missing from the menu. Its well explained in the documentation. I guess what you could do is remove access for an user (within Cloudron), put the user inside a group X that has no access to said app and set up SSO manually within the app to grant access to users within group X. Basically, I want the "dashboard visibility" options to be available for all apps. To not make Cloudrons UI confusing, a "Hide for non admins/operators" checkbox would be fine.

@girish , is this perhaps something we can consider adding in one of the next updates? This would be greatly beneficial to be able to specify the IP address for outbound traffic in Cloudron (at least for the mail container but maybe all containers in one setting might be better for some people, not too sure what the best approach is). I found a couple of other related topics so it seems like there is a need for this. I think my solution should still work but likely just needs to be adapted by Cloudron to be more built-in with a GUI to set the outbound traffic IP (or maybe just have it default to the IP set in the Network page by default as I suspect the DNS record IP would be the same IP outbound traffic would be desired). Other related topics I found: https://forum.cloudron.io/post/108717 (Haraka config for controlling outbound SMTP interface) https://forum.cloudron.io/post/81114 (SMTP using wrong IP address on interface with multiple addresses) (admittedly this one is a post I made myself before, lol)

I use the darkreader plugin for sites that don't have dark mode and have it set on a schedule. Sometimes it makes text hard to read as it gets the color inversion wrong, but overall it's pretty good. https://darkreader.org/ You can easily disable it for certain sites with a single click (marked in red). The on/off buttons are for the entire plugin. The "configure automation" is where you set the schedule. [image: 1773852264553-7703688b-119f-42df-a8b4-f54dac6f40b8-image.jpeg]

My storage is limited, so I keep fewer backups. I almost always click "Skip Backup" since I prefer manually backing things up. Since so much is manual, I tend to lose track of which might have been backed up recently. So, then I need to click on the Backups, wait for that to load, see when the most recent one was and if it's worth skipping the backup again or if I need to back up. If I need to back up, I actually also almost always do that separate from the Update process. Why? In the past it sometimes times out, or fails, or just something goes wonky. Is it my system? Maybe? But this is what I'm working with. After that back up I then need to click on Updates and finally update. So, it would save me some time to hover over Backups and see when the most recent one is.

This was probably a dup of https://forum.cloudron.io/topic/9944/please-separate-automatic-apps-and-platform-upgrades/

Implemented in https://git.cloudron.io/platform/box/-/commit/f334c696cbce9028354e05bc9898557cbb469a60

These are implemented as backupCommand and restoreCommand

This is roughly implemented as community packages - https://docs.cloudron.io/packaging/publishing/

I’m thinking the same as @robi. I tried asking Google Gemini to propose a design that surfaces key actions like Start, Stop, Restart, and Retry Task. Directly on the main page, so we don’t have to open the app just to access them. Grid view: [image: Google-Gemini-03-16-2026-08-00-AM.png] List View: [image: Google-Gemini-03-16-2026-07-58-AM.png]

@girish said: @CaeruleusAqua are you asking about custom bcc feature or custom haraka plugin? Custom haraka plugins won't be supported, this is not on the roadmap. Bcc feature might be. For 9.2, it will be primarily a mail feature release. looking forward to 9.2 now