Dev middleware can return HTML for internal Vite asset requests on LAN/IP access when Sec-Fetch-Dest is missing

[Neonsy]

Environment

• Nitro: 3.0.1-20260402-182549-a5a3389c
• Node.js: v24.14.1
• Vite: 8.0.7
• OS: Windows
• Browser: Helium (Chromium-based) 0.10.8.1
• Package manager: pnpm

Reproduction

Relevant setup:

• Using Nitro via nitro/vite inside a Vite dev server
• Public repro currently uses TanStack Start to demonstrate the behavior, but the suspected problem appears to be in Nitro's dev middleware / Vite handoff

https://github.com/Neonsy/tanstack-start-lan-dev-repro

1. pnpm install
2. Run pnpm dev:broken
3. Open http://localhost:3000/feedback/dev-test
4. Open the LAN/IP URL printed by Vite, for example http://192.168.100.27:3000/feedback/dev-test
5. On both pages:
   • click the next-missing button
   • answer both required questions
   • type in the optional textarea
6. Compare behavior

Describe the bug

In dev mode, internal Vite asset/module requests can be handled incorrectly on LAN/IP access when Sec-Fetch-Dest is missing

In the repro:

• localhost works
• the same valid page on the LAN/IP URL SSR-renders but client behavior stays stale
• an internal Vite request returns HTML instead of the expected JavaScript module response

This does not look like app-specific state logic
The same page and route are valid, and the failure only appears when internal dev asset handling differs between localhost and LAN/IP access

Expected:

• internal Vite module requests should still be delegated correctly even when Sec-Fetch-Dest is missing
• localhost and LAN/IP access should behave the same in dev mode

Actual:

• on the failing LAN/IP path, an internal request such as vite/dist/client/env.mjs can return 404 text/html
• hydration-dependent UI then stops behaving correctly because the expected module response was not served

Additional context

The repro includes two modes:

• pnpm dev:broken
• pnpm dev:patched

The patched mode applies a dev-only middleware before Nitro handling that sets:

req.headers["sec-fetch-dest"] = "script"

when the header is missing for obvious internal module requests such as:

• /@vite/client
• /@react-refresh
• /@vite/env
• /@id/*
• /src/*.(css|js|ts|tsx|mjs|cjs|mts|cts)
• /node_modules/* with those extensions

On my machine:

• broken mode:
  • localhost passes
  • LAN/IP fails
  • vite/dist/client/env.mjs returns 404 text/html on the LAN path
• patched mode:
  • localhost passes
  • LAN/IP passes
  • the same internal request returns a JavaScript module response

This makes it look like the bug is in the dev middleware routing / handoff decision when Fetch Metadata headers are missing, rather than in application code

Related downstream report:

• Start dev server can return app HTML for internal Vite assets on LAN/IP access when Sec-Fetch-Dest is missing TanStack/router#7134: same public repro and symptom framing
• [Start] Dev server breaks on IP/Safari: Nitro intercepts $id route modules when Sec-Fetch-Dest header is missing TanStack/router#7095: related case where missing Sec-Fetch-Dest also lets Nitro intercept route module requests containing $id, producing a redirect / 404 instead of a JS module response

Note

This issue derived from my issue, placed on the tanstack repo

Logs

[denishamann]

Confirming this from a different angle: iOS Safari on LAN IP against a TanStack Start app.

Bisected: 3.0.260311-beta OK → 3.0.260415-beta KO. The regressing change is the new isNitroRoute check in nitroDevMiddlewarePre (dist/vite.mjs:282):

const isNitroRoute = ext
  ? !!nitro.routing.routes.match(req.method || "", ...)
  : false;

With any SSR catchall registered (TanStack Start's /**, Nuxt, SolidStart…), every .ext URL now matches isNitroRoute=true. When the request lacks Sec-Fetch-Dest (iOS Safari < 16.4, webviews) or carries sec-fetch-dest: empty (any dynamic asset import()), Nitro intercepts and 404s.

One extra gotcha for the proposed header-injection workaround: it's keyed on /src/* and /node_modules/* prefixes, so it misses user-defined asset roots. In my app, import.meta.glob("/docs/user/**/*.md", { query: "?raw", eager: true }) fetches .md?raw modules that still 404 after the workaround.

Our local fix for now (pnpm patch): revert to pre-260415 behavior. Any URL with an extension falls through to Vite unconditionally. Simpler than a denylist (first bitten by .mjs, then .md), and we don't register Nitro routes with extensions anyway.

[Neonsy]

One extra gotcha for the proposed header-injection workaround: it's keyed on /src/* and /node_modules/* prefixes, so it misses user-defined asset roots.

Yeah, I did find that out later through fonts 😂