Skip to content

eliottvincent/vite-plugin-allowed-hosts

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

24 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Vite Allowed Hosts

Build Status Version Downloads

Specify a list of hosts that are allowed to access your Vite dev server.

Motivation

By rejecting requests with an unrecognized Host header, this plugin prevents DNS rebinding attacks, which are possible even under many seemingly-safe web server configurations.

In a DNS rebinding attack, an attacker can create a malicious website that makes requests to the development server using the victim’s browser, potentially gaining access to sensitive data or executing unauthorized actions.

Usage

// vite.config.js
import allowedHostsPlugin from "vite-plugin-allowed-hosts";

export default {
  plugins: [
    allowedHostsPlugin({
      hosts: ["acme.com", ".dev.acme.com"]
    })
  ]
}

Options

hosts

  • Type: 'auto' | 'all' | string | string[]

  • Default: 'auto'

    When set to 'auto', it will always allow localhost and server.host.

    When set to 'all', no header check will be done. This is obviously not recommended.

    A value beginning with a period . can be used as a subdomain wildcard. For example, '.acme.com' will match acme.com, www.acme.com, and any other subdomain of acme.com.

    If the Host header doesn't match any value in this list, a 403 Forbidden HTTP error will be returned.

License

vite-plugin-allowed-hosts is released under the MIT License. See the bundled LICENSE file for details.