Security: Vite Server Configured with Overly Permissive Host Settings#261
Conversation
Multiple Vite configuration files (vite.config.js) have 'allowedHosts: true' which allows all hosts, and server host set to '0.0.0.0'. This could expose the development server to external networks and potentially allow DNS rebinding attacks or unauthorized access to the development environment. Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com>
There was a problem hiding this comment.
Code Review
This pull request updates the Vite server configuration in addons/selkies-web-core/vite.config.js to restrict the host to 127.0.0.1 and specify allowed hosts. The reviewer pointed out that explicitly defining allowedHosts is redundant and potentially restrictive when host is set to 127.0.0.1, as Vite 6 automatically handles loopback restrictions by default.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
| host: '127.0.0.1', | ||
| allowedHosts: ['localhost', '127.0.0.1'], |
There was a problem hiding this comment.
Specifying allowedHosts explicitly is redundant when host is set to '127.0.0.1'. By default, Vite 6 automatically restricts allowed hosts to localhost and loopback IP addresses (including IPv6 loopback ::1) when allowedHosts is omitted. Explicitly defining this array is unnecessary and could potentially block other valid loopback addresses.
| host: '127.0.0.1', | |
| allowedHosts: ['localhost', '127.0.0.1'], | |
| host: '127.0.0.1', |
|
Incorporated into #254. |
Summary
Security: Vite Server Configured with Overly Permissive Host Settings
Problem
Severity:
Medium| File:addons/selkies-web-core/vite.config.js:L7Multiple Vite configuration files (vite.config.js) have 'allowedHosts: true' which allows all hosts, and server host set to '0.0.0.0'. This could expose the development server to external networks and potentially allow DNS rebinding attacks or unauthorized access to the development environment.
Solution
Restrict allowedHosts to specific trusted domains instead of allowing all hosts. Use environment-specific configurations to only allow broad access in development, never in production. Consider using a reverse proxy with proper host validation for production deployments.
Changes
addons/selkies-web-core/vite.config.js(modified)