diff --git a/.github/instructions/ARCHITECTURE.instructions.md b/.github/instructions/ARCHITECTURE.instructions.md
index b60eedda..d1881e81 100644
--- a/.github/instructions/ARCHITECTURE.instructions.md
+++ b/.github/instructions/ARCHITECTURE.instructions.md
@@ -126,7 +126,7 @@ graph TB
 | **HTTP Framework** | Gin | Latest | Routing, middleware, HTTP handling |
 | **Database** | SQLite | 3.x | Embedded database |
 | **ORM** | GORM | Latest | Database abstraction layer |
-| **Reverse Proxy** | Caddy Server | 2.11.1 | Embedded HTTP/HTTPS proxy |
+| **Reverse Proxy** | Caddy Server | 2.11.2 | Embedded HTTP/HTTPS proxy |
 | **WebSocket** | gorilla/websocket | Latest | Real-time log streaming |
 | **Crypto** | golang.org/x/crypto | Latest | Password hashing, encryption |
 | **Metrics** | Prometheus Client | Latest | Application metrics |
diff --git a/.vscode/tasks.json b/.vscode/tasks.json
index 6a06bb9e..06b5cf43 100644
--- a/.vscode/tasks.json
+++ b/.vscode/tasks.json
@@ -727,7 +727,7 @@
         {
             "label": "Security: Caddy PR-1 Compatibility Matrix",
             "type": "shell",
-            "command": "cd /projects/Charon && bash scripts/caddy-compat-matrix.sh --candidate-version 2.11.1 --patch-scenarios A,B,C --platforms linux/amd64,linux/arm64 --smoke-set boot_caddy,plugin_modules,config_validate,admin_api_health --output-dir test-results/caddy-compat --docs-report docs/reports/caddy-compatibility-matrix.md",
+            "command": "cd /projects/Charon && bash scripts/caddy-compat-matrix.sh --candidate-version 2.11.2 --patch-scenarios A,B,C --platforms linux/amd64,linux/arm64 --smoke-set boot_caddy,plugin_modules,config_validate,admin_api_health --output-dir test-results/caddy-compat --docs-report docs/reports/caddy-compatibility-matrix.md",
             "group": "test",
             "problemMatcher": []
         },
diff --git a/ARCHITECTURE.md b/ARCHITECTURE.md
index 52387d26..4a5f57b8 100644
--- a/ARCHITECTURE.md
+++ b/ARCHITECTURE.md
@@ -126,7 +126,7 @@ graph TB
 | **HTTP Framework** | Gin | Latest | Routing, middleware, HTTP handling |
 | **Database** | SQLite | 3.x | Embedded database |
 | **ORM** | GORM | Latest | Database abstraction layer |
-| **Reverse Proxy** | Caddy Server | 2.11.1 | Embedded HTTP/HTTPS proxy |
+| **Reverse Proxy** | Caddy Server | 2.11.2 | Embedded HTTP/HTTPS proxy |
 | **WebSocket** | gorilla/websocket | Latest | Real-time log streaming |
 | **Crypto** | golang.org/x/crypto | Latest | Password hashing, encryption |
 | **Metrics** | Prometheus Client | Latest | Application metrics |
diff --git a/Dockerfile b/Dockerfile
index 5715226f..a7838d97 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -14,9 +14,9 @@ ARG BUILD_DEBUG=0
 # avoid accidentally pulling a v3 major release. Renovate can still update
 # this ARG to a specific v2.x tag when desired.
 ## Try to build the requested Caddy v2.x tag (Renovate can update this ARG).
-## If the requested tag isn't available, fall back to a known-good v2.11.1 build.
-ARG CADDY_VERSION=2.11.1
-ARG CADDY_CANDIDATE_VERSION=2.11.1
+## If the requested tag isn't available, fall back to a known-good v2.11.2 build.
+ARG CADDY_VERSION=2.11.2
+ARG CADDY_CANDIDATE_VERSION=2.11.2
 ARG CADDY_USE_CANDIDATE=0
 ARG CADDY_PATCH_SCENARIO=B
 # renovate: datasource=go depName=github.com/greenpau/caddy-security
diff --git a/docs/reports/caddy-compatibility-matrix.md b/docs/reports/caddy-compatibility-matrix.md
index 15f104a4..6a4a5671 100644
--- a/docs/reports/caddy-compatibility-matrix.md
+++ b/docs/reports/caddy-compatibility-matrix.md
@@ -1,7 +1,7 @@
 # PR-1 Caddy Compatibility Matrix Report
 
 - Generated at: 2026-02-23T13:52:26Z
-- Candidate Caddy version: 2.11.1
+- Candidate Caddy version: 2.11.2
 - Plugin set: caddy-security,coraza-caddy,caddy-crowdsec-bouncer,caddy-geoip2,caddy-ratelimit
 - Smoke set: boot_caddy,plugin_modules,config_validate,admin_api_health
 - Matrix dimensions: patch scenario × platform/arch × checked plugin modules
diff --git a/docs/reports/caddy-security-posture.md b/docs/reports/caddy-security-posture.md
index 893e6d55..d733f1dc 100644
--- a/docs/reports/caddy-security-posture.md
+++ b/docs/reports/caddy-security-posture.md
@@ -2,7 +2,7 @@
 
 - Date: 2026-02-23
 - Scope: PR-2 only (security patch posture + xcaddy patch retirement decision)
-- Upstream target: Caddy 2.11.x line (`2.11.1` candidate in this repository)
+- Upstream target: Caddy 2.11.x line (`2.11.2` candidate in this repository)
 - Inputs:
   - PR-1 compatibility matrix: `docs/reports/caddy-compatibility-matrix.md`
   - Plan authority: `docs/plans/current_spec.md`
diff --git a/scripts/caddy-compat-matrix.sh b/scripts/caddy-compat-matrix.sh
index bdc51524..4ec561de 100755
--- a/scripts/caddy-compat-matrix.sh
+++ b/scripts/caddy-compat-matrix.sh
@@ -2,7 +2,7 @@
 
 set -euo pipefail
 
-readonly DEFAULT_CANDIDATE_VERSION="2.11.1"
+readonly DEFAULT_CANDIDATE_VERSION="2.11.2"
 readonly DEFAULT_PATCH_SCENARIOS="A,B,C"
 readonly DEFAULT_PLATFORMS="linux/amd64,linux/arm64"
 readonly DEFAULT_PLUGIN_SET="caddy-security,coraza-caddy,caddy-crowdsec-bouncer,caddy-geoip2,caddy-ratelimit"
@@ -33,7 +33,7 @@ Usage: scripts/caddy-compat-matrix.sh [options]
 Options:
   --output-dir <path>         Output directory (default: test-results/caddy-compat)
   --docs-report <path>        Markdown report path (default: docs/reports/caddy-compatibility-matrix.md)
-  --candidate-version <ver>   Candidate Caddy version (default: 2.11.1)
+  --candidate-version <ver>   Candidate Caddy version (default: 2.11.2)
   --patch-scenarios <csv>     Patch scenarios CSV (default: A,B,C)
   --platforms <csv>           Platforms CSV (default: linux/amd64,linux/arm64)
   --plugin-set <csv>          Plugin set descriptor for report metadata