Caddy 0.10.8 contains a possible security fix reported by @slashman (username checks out) and I recommend upgrading if you use any directives that specify protected zones using a URI path.
Here are the release notes: https://github.com/mholt/caddy/releases/tag/v0.10.8
Plugin authors: please make sure your plugin uses Path.Matches() in the httpserver package to compare paths when checking if your handler should handle a request. (Applies to middleware that require comparing the base paths of requests.)