-
Notifications
You must be signed in to change notification settings - Fork 30.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Node 18.18.2 : unable to override the Host header in fetch #50305
Comments
|
@panva @mcollina as i also mentioned in nodejs/undici#2318 (comment), there are there are valid usecases for setting the host header on a request in Node.js environment. We are running into this issue when upgrading from Node 18.17.1 to Node 20.8.1, as the host header doesn't seem to be passed along to the application anymore (thus, breaking the integration). Is this really the desired behavior? Is there a workaround to still allow setting the |
TL;DR, you'll have a much better production experience anyway. |
Thanks for your response @mcollina, but this is not really what i would have expected. I also think that using a Another question; isn't |
Decided to use |
have run into the same issue here, where I need to work with an API, that required the host header to be set for the Authentication to work, e.g.: this used to work fine with previous versions, but now since I cannot overide the host header anymore, this fails with the built-in fetch, which is a bit of a bummer. would be nice to have a way to do this with the built-in fetch in the future again |
Following nodejs/undici#2369 (comment), using fetch is not advocated for backend development. Undici.request is the advised approach. |
fetch API and behavior was defined as a API in end-user browser level JavaScript applications. For this use-case the host header must fit to the domain name used for DNS based IP retrieval. That closes some security concerns in combination with Script injection etc. When you have to implement backend components like content inspection & security scanning that you face the situation that you like to pass the host header "as is" to a backend server(having an internal domain name). We don't need 2 libraries just 2 different behaviors. |
I have the similar issue. My backend server#1 needs to call the backend server#2 by IP/hostname since the server#2 is a multi-tenant. Not allowing Personally I am Ok to use However, server#1 is for Nextjs which patches For de-dup, it is Ok since I do not use it that much. For caching, it is also probably Ok because Nextjs' handling of caching does not make sense anyway: whether or not caching should not be decided by the request-side; the request-side should simply respect the So the question is, by default, does |
Facing the same issue for our local reverse proxy, since we switch from node-fetch to native fetch :( E.g. in
All go through the same reverse proxy client, but based on the Host header we can determine on which domain the user is based. @paulrutter it's weird to force backend people to use a different fetch package, just because of the Host override. |
See nodejs/undici#2369 (comment) for more details. |
Aye I've read it, but it feels weird to add a library just because of the different Host header library. What about a check if it's in the browser or not? Only override the header if it's browser-side. And it is pretty confusing to see the Host header not working... |
I agree with you on that, but got the same response several times, so decided to move to undici (which works fine, and is still the library behind fetch). |
Version
v18.18.2
Platform
Linux hostname 5.15.131-1-MANJARO #1 SMP PREEMPT Thu Sep 7 11:05:18 UTC 2023 x86_64 GNU/Linux
Subsystem
No response
What steps will reproduce the bug?
run this code
The test works successfullty with v18.18.0 & v18.18.0
How often does it reproduce? Is there a required condition?
ive run the tests numerous times
the only condition I know is to run with v18.18.2
What is the expected behavior? Why is that the expected behavior?
Host
tofoo.postman-echo.com
Headercurl -H 'Host: foobar.com' https://postman-echo.com/get
What do you see instead?
Additional information
The text was updated successfully, but these errors were encountered: