diff --git a/README.md b/README.md
index 998bd094..c08535d4 100644
--- a/README.md
+++ b/README.md
@@ -69,6 +69,7 @@ built in Norway 🇳🇴 with contributions from [not-norway](https://github.com
         * [ssdp](#ssdp) - windows-explorer announcer
     * [qr-code](#qr-code) - print a qr-code [(screenshot)](https://user-images.githubusercontent.com/241032/194728533-6f00849b-c6ac-43c6-9359-83e454d11e00.png) for quick access
     * [ftp server](#ftp-server) - an FTP server can be started using `--ftp 3921`
+    * [sftp server](#sftp-server) - goes roughly 700 MiB/s (slower than webdav and ftp)
     * [webdav server](#webdav-server) - with read-write support
         * [connecting to webdav from windows](#connecting-to-webdav-from-windows) - using the GUI
     * [tftp server](#tftp-server) - a TFTP server (read/write) can be started using `--tftp 3969`
@@ -126,7 +127,7 @@ built in Norway 🇳🇴 with contributions from [not-norway](https://github.com
 * [iOS shortcuts](#iOS-shortcuts) - there is no iPhone app, but
 * [performance](#performance) - defaults are usually fine - expect `8 GiB/s` download, `1 GiB/s` upload
     * [client-side](#client-side) - when uploading files
-* [security](#security) - there is a [discord server](https://discord.gg/25J8CdTT6G)
+* [security](#security) - there is a [discord server](https://discord.gg/25J8CdTT6G) with announcements
     * [gotchas](#gotchas) - behavior that might be unexpected
     * [cors](#cors) - cross-site request config
     * [filekeys](#filekeys) - prevent filename bruteforcing
@@ -138,7 +139,7 @@ built in Norway 🇳🇴 with contributions from [not-norway](https://github.com
         * [firefox wsod](#firefox-wsod) - firefox 87 can crash during uploads
 * [HTTP API](#HTTP-API) - see [devnotes](./docs/devnotes.md#http-api)
 * [dependencies](#dependencies) - mandatory deps
-    * [optional dependencies](#optional-dependencies) - install these to enable bonus features
+    * [optional dependencies](#optional-dependencies) - enable bonus features
         * [dependency chickenbits](#dependency-chickenbits) - prevent loading an optional dependency
         * [dependency unvendoring](#dependency-unvendoring) - force use of system modules
     * [optional gpl stuff](#optional-gpl-stuff)
@@ -236,12 +237,12 @@ you may also want these, especially on servers:
 
 and remember to open the ports you want; here's a complete example including every feature copyparty has to offer:
 ```
-firewall-cmd --permanent --add-port={80,443,3921,3923,3945,3990}/tcp  # --zone=libvirt
+firewall-cmd --permanent --add-port={80,443,3921,3922,3923,3945,3990}/tcp  # --zone=libvirt
 firewall-cmd --permanent --add-port=12000-12099/tcp  # --zone=libvirt
 firewall-cmd --permanent --add-port={69,1900,3969,5353}/udp  # --zone=libvirt
 firewall-cmd --reload
 ```
-(69:tftp, 1900:ssdp, 3921:ftp, 3923:http/https, 3945:smb, 3969:tftp, 3990:ftps, 5353:mdns, 12000:passive-ftp)
+(69:tftp, 1900:ssdp, 3921:ftp, 3922:sftp, 3923:http/https, 3945:smb, 3969:tftp, 3990:ftps, 5353:mdns, 12000:passive-ftp)
 
 
 ## features
@@ -1494,7 +1495,7 @@ unsafe, slow, not recommended for wan,  enable with `--smb` for read-only or `--
 
 click the [connect](http://127.0.0.1:3923/?hc) button in the control-panel to see connection instructions for windows, linux, macos
 
-dependencies: `python3 -m pip install --user -U impacket==0.11.0`
+dependencies: `python3 -m pip install --user -U impacket==0.13.0`
 * newer versions of impacket will hopefully work just fine but there is monkeypatching so maybe not
 
 some **BIG WARNINGS** specific to SMB/CIFS, in decreasing importance:
@@ -2849,7 +2850,7 @@ when uploading files,
 
 # security
 
-there is a [discord server](https://discord.gg/25J8CdTT6G)  with an `@everyone` for all important updates (at the lack of better ideas)
+there is a [discord server](https://discord.gg/25J8CdTT6G) with announcements  ; an `@everyone` for all important updates (at the lack of better ideas)
 
 some notes on hardening
 
@@ -3010,7 +3011,7 @@ mandatory deps:
 
 ## optional dependencies
 
-install these to enable bonus features
+enable bonus features  by installing these python-packages from pypi or so:
 
 enable [hashed passwords](#password-hashing) in config: `argon2-cffi`
 
@@ -3018,6 +3019,8 @@ enable [ftp-server](#ftp-server):
 * for just plaintext FTP, `pyftpdlib` (is built into the SFX)
 * with TLS encryption, `pyftpdlib pyopenssl`
 
+enable [sftp-server](#sftp-server): `paramiko`
+
 enable [music tags](#metadata-from-audio-files):
 * either `mutagen` (fast, pure-python, skips a few tags, makes copyparty GPL? idk)
 * or `ffprobe` (20x slower, more accurate, possibly dangerous depending on your distro and users)
@@ -3032,7 +3035,7 @@ enable [thumbnails](#thumbnails) of...
 
 enable sending [zeromq messages](#zeromq) from event-hooks: `pyzmq`
 
-enable [smb](#smb-server) support (**not** recommended): `impacket==0.12.0`
+enable [smb](#smb-server) support (**not** recommended): `impacket==0.13.0`
 
 `pyvips` gives higher quality thumbnails than `Pillow` and is 320% faster, using 270% more ram
 * to install `pyvips` on Linux: `sudo apt install libvips42 && python3 -m pip install --user -U pyvips`
diff --git a/bin/u2c.py b/bin/u2c.py
index 28ca4c62..dd97784c 100755
--- a/bin/u2c.py
+++ b/bin/u2c.py
@@ -1,8 +1,8 @@
 #!/usr/bin/env python3
 from __future__ import print_function, unicode_literals
 
-S_VERSION = "2.17"
-S_BUILD_DT = "2025-12-16"
+S_VERSION = "2.18"
+S_BUILD_DT = "2026-01-02"
 
 """
 u2c.py: upload to copyparty
diff --git a/contrib/package/rpm/copyparty.spec b/contrib/package/rpm/copyparty.spec
index 0435fe59..69ac26ee 100644
--- a/contrib/package/rpm/copyparty.spec
+++ b/contrib/package/rpm/copyparty.spec
@@ -10,7 +10,7 @@ BuildArch:      noarch
 BuildRequires:  python3, python3-devel, pyproject-rpm-macros, python-setuptools, python-wheel, make
 Requires:       python3, (python3-jinja2 or python-jinja2), lsof
 Recommends:     ffmpeg, (golang-github-cloudflare-cfssl or cfssl), python-mutagen, python-pillow, python-pyvips
-Recommends:     qm-vamp-plugins, python-argon2-cffi, (python-pyopenssl or pyopenssl), python-impacket
+Recommends:     qm-vamp-plugins, python-argon2-cffi, (python-pyopenssl or pyopenssl), python-paramiko, python-impacket
 
 %description
 Portable file server with accelerated resumable uploads, dedup, WebDAV, SFTP, FTP, TFTP, zeroconf, media indexer, thumbnails++ all in one file, no deps
diff --git a/copyparty/__version__.py b/copyparty/__version__.py
index b2dd60a9..c773bd66 100644
--- a/copyparty/__version__.py
+++ b/copyparty/__version__.py
@@ -1,8 +1,8 @@
 # coding: utf-8
 
-VERSION = (1, 19, 23)
-CODENAME = "usernames"
-BUILD_DT = (2025, 12, 17)
+VERSION = (1, 20, 0)
+CODENAME = "sftp is fine too"
+BUILD_DT = (2026, 1, 2)
 
 S_VERSION = ".".join(map(str, VERSION))
 S_BUILD_DT = "{0:04d}-{1:02d}-{2:02d}".format(*BUILD_DT)
diff --git a/copyparty/authsrv.py b/copyparty/authsrv.py
index b341c954..bd089bdc 100644
--- a/copyparty/authsrv.py
+++ b/copyparty/authsrv.py
@@ -1915,7 +1915,7 @@ class AuthSrv(object):
             vol.all_vps.sort(key=lambda x: len(x[0]), reverse=True)
             vol.root = vfs
 
-        zs = "neversymlink du_iwho"
+        zs = "du_iwho ls_q_m neversymlink"
         k_ign = set(zs.split())
         for vol in vfs.all_vols.values():
             unknown_flags = set()
diff --git a/copyparty/httpcli.py b/copyparty/httpcli.py
index ad501906..e58867c4 100644
--- a/copyparty/httpcli.py
+++ b/copyparty/httpcli.py
@@ -6321,6 +6321,7 @@ class HttpCli(object):
 
         fn = quotep(fns[0]) if len(fns) == 1 else ""
 
+        # NOTE: several clients (frontend, party-up) expect url at response[15:]
         surl = "created share: %s://%s%s%s%s/%s" % (
             "https" if self.is_https else "http",
             self.host,
diff --git a/copyparty/web/browser.css b/copyparty/web/browser.css
index a3ef0868..53b59bff 100644
--- a/copyparty/web/browser.css
+++ b/copyparty/web/browser.css
@@ -4129,6 +4129,7 @@ html.e #detree {
 #rcm {
 	position: absolute;
 	display: none;
+	background: #fff;
 	background: var(--bg);
 	border: 1px solid var(--bg-u3);
 	outline: none;
diff --git a/copyparty/web/browser.js b/copyparty/web/browser.js
index cd5ac471..ee39984b 100644
--- a/copyparty/web/browser.js
+++ b/copyparty/web/browser.js
@@ -648,7 +648,7 @@ if (1)
 		"rc_opn": "open",
 		"rc_ply": "play",
 		"rc_pla": "play as audio",
-		"rc_txt": "open in text file viewer",
+		"rc_txt": "open in textfile viewer",
 		"rc_md": "open in text editor",
 		"rc_dl": "download",
 		"rc_zip": "download as archive",
diff --git a/docs/changelog.md b/docs/changelog.md
index 6c352b97..8a9beb6c 100644
--- a/docs/changelog.md
+++ b/docs/changelog.md
@@ -1,3 +1,31 @@
+▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀  
+# 2025-1217-0014  `v1.19.23`  bad apple x2
+
+## 🧪 new features
+
+* #1080 new translation: Vietnamese (thx @thatfrozenfrog and @khoidauminh!) b60eb3f0 d4a9787c
+* #1110 add option `xf-proto-fb` to support reverseproxies which do not provide an `x-forwarded-proto` header 9c64788d
+  * and improve the rproxy config guidance message in the serverlog c8f3b4ef
+  * and show a warning in the controlpanel if misconfiguration is detected c8f3b4ef
+* #1109 add option `--ipar`, reverseproxy-aware alternative to `--ipa` 33684219
+  * its purpose is rejecting connections from unexpected/unwanted IPs/subnets
+* option `idp-chsub` can be used to replace spaces in IdP usernames/groupnames 5e1d9a58 
+* #1029 indicate password max-length in ui 8d46cf18
+  * thx to @grantbacon for the initial take!
+
+## 🩹 bugfixes
+
+* #1111 apple gave us coal for xmas this year 0b6d2d24
+  * workaround for a new bug in safari (iOS and Macos) where it would randomly show a login-popup
+* #1113 the `@acct` group was unavailable in groupless IdP setups b6c2ec15
+
+## 🌠 fun facts
+
+* speaking of current events, @stackxp made copyparty [bad-apple-certified](https://copyparty.eu/bad-apple.mp4) a little while back :grin:
+  * the plugin is [available here](https://github.com/stackxp/copyparty-badapple)
+
+
+
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀  
 # 2025-1214-2304  `v1.19.22`  merikuri