Added
-
In-memory search result cache: Repeated
searxng_web_searchcalls with identical arguments are now served from a per-process cache instead of re-querying the instance, mirroring the existing URL-reader cache. The cache key is a SHA-256 of the tool name plus the search arguments canonicalized with sorted object keys, so semantically identical requests hit the same entry regardless of argument order, while any change to the query or parameters caches separately. Two new variables tune it:SEARCH_CACHE_TTL_MS(default86400000, 24 hours) sets the entry lifetime, andSEARCH_CACHE_MAX_ENTRIES(default200) caps the cache, evicting the least-frequently-used entry first with the oldest entry as the tie-breaker. Invalid or non-positive values fall back to the defaults. (FEAT-008, #164) -
Per-instance HTTP Basic Auth from
SEARXNG_URLuserinfo: Credentials can now be embedded directly in eachSEARXNG_URLentry (https://user:pass@host), and each semicolon-separated replica carries its own credentials — so a mixed deployment of one auth-gated private instance and one public instance no longer sends the private credentials to the public host. The legacy globalAUTH_USERNAME/AUTH_PASSWORDvariables are now a fallback used only for entries that have no userinfo, preserving existing single-instance setups. Percent-encode special characters in the username or password (for example, writep@ssasp%40ss). (FEAT-049, #160) -
SEARCH_USER_AGENToverride for SearXNG-instance requests: A new per-groupSEARCH_USER_AGENTvariable sets theUser-Agentfor all SearXNG-instance traffic —searxng_web_search,/configcapability discovery, and search suggestions — independently of theweb_url_readgroup'sURL_READER_USER_AGENT. Both groups fall back toUSER_AGENTwhen unset, and if neither the group override norUSER_AGENTis set, noUser-Agentheader is added. (FEAT-050, #150)
Fixed
-
Basic Auth and custom CA certs now applied on every SearXNG endpoint:
SEARXNG_URLBasic Auth credentials and theNODE_EXTRA_CA_CERTScustom CA bundle were previously honored on the main search request but not on the/configcapability-discovery and/autocompletersuggestion fetches, so those two paths failed against auth-gated or custom-CA instances. All three now go through the same authenticated, TLS-aware request path. A follow-up also fixes Windows, where settingNODE_EXTRA_CA_CERTShad dropped the bundled Mozilla root store instead of adding to it. (#152) -
Clearer "content too large" message from
web_url_read: When a page exceeds the size limit, the error now reports the size with an explicit, unambiguous unit and gives accurate advice for narrowing the request, replacing the earlier misleading wording. (#148)
Security
SEARXNG_URLuserinfo redacted in the config resource: Now that credentials can be embedded per instance, theconfigMCP resource redacts anyuser:pass@userinfo from the reported instance URLs, and thehasAuthindicator is userinfo-aware so it reflects embedded credentials as well as the legacyAUTH_USERNAME/AUTH_PASSWORDvariables — keeping embedded secrets out of client-visible configuration output.
Contributors
- @wchy1128 - #152 fix(auth+tls): Basic Auth on /config and /autocompleter; honor NODE_EXTRA_CA_CERTS everywhere
Full Changelog: v1.10.1...v1.11.0