fix: set x-forwarded-host based on request

[tmilewski]

Co-authored-by: @BRKalow bryce@clerk.dev

What?

A number of our customers have been experiencing issues stemming from an x-forwarded-host header that doesn't match the host header.

Why?

This PR removes functionality which sets x-forwarded-host to req.headers['host'] and relies solely on the server's hostname and port.

This can be seen locally when visiting the app via a localhost subdomain.

The x-forwarded-host header will remain as localhost:${port} while the actual requested host will contain the subdomain.

Related

• fix: correctly set x-forwarded-* in Middleware #57815 (comment)

[eyn]

Closed #58399 in favour of this PR as it has test cases

[controversial]

Note that this change addresses currently broken behavior that renders Server Actions unusable in dev mode for subdomains of localhost

Right now (14.0.2–14.0.3), calling any server action from abc.localhost:3000 will fail with a “Host doesn’t match Origin” error (because x-forwarded-host is being set incorrectly)

[controversial]

Maybe @balazsorban44 can review this PR, as the author of #57815

[ijjk]

Stats from current PR

Default Build

General

	vercel/next.js canary	tmilewski/next.js fix/x-forwarded-headers-middleware-host	Change
buildDuration	10.3s	10.4s	N/A
buildDurationCached	6s	6.2s	⚠️ +202ms
nodeModulesSize	199 MB	199 MB	N/A
nextStartRea..uration (ms)	398ms	420ms	N/A

Client Bundles (main, webpack)

	vercel/next.js canary	tmilewski/next.js fix/x-forwarded-headers-middleware-host	Change
199-HASH.js gzip	29.2 kB	29.2 kB	N/A
3f784ff6-HASH.js gzip	53.3 kB	53.3 kB	N/A
494.HASH.js gzip	180 B	181 B	N/A
framework-HASH.js gzip	45.2 kB	45.2 kB	✓
main-app-HASH.js gzip	241 B	240 B	N/A
main-HASH.js gzip	31.7 kB	31.8 kB	N/A
webpack-HASH.js gzip	1.7 kB	1.7 kB	✓
Overall change	46.9 kB	46.9 kB	✓

Legacy Client Bundles (polyfills)

	vercel/next.js canary	tmilewski/next.js fix/x-forwarded-headers-middleware-host	Change
polyfills-HASH.js gzip	31 kB	31 kB	✓
Overall change	31 kB	31 kB	✓

Client Pages

	vercel/next.js canary	tmilewski/next.js fix/x-forwarded-headers-middleware-host	Change
_app-HASH.js gzip	194 B	195 B	N/A
_error-HASH.js gzip	182 B	181 B	N/A
amp-HASH.js gzip	504 B	506 B	N/A
css-HASH.js gzip	322 B	323 B	N/A
dynamic-HASH.js gzip	2.5 kB	2.5 kB	✓
edge-ssr-HASH.js gzip	253 B	255 B	N/A
head-HASH.js gzip	348 B	347 B	N/A
hooks-HASH.js gzip	369 B	368 B	N/A
image-HASH.js gzip	4.3 kB	4.3 kB	N/A
index-HASH.js gzip	256 B	256 B	✓
link-HASH.js gzip	2.65 kB	2.65 kB	N/A
routerDirect..HASH.js gzip	311 B	311 B	✓
script-HASH.js gzip	384 B	383 B	N/A
withRouter-HASH.js gzip	307 B	308 B	N/A
1afbb74e6ecf..834.css gzip	106 B	106 B	✓
Overall change	3.17 kB	3.17 kB	✓

Client Build Manifests

	vercel/next.js canary	tmilewski/next.js fix/x-forwarded-headers-middleware-host	Change
_buildManifest.js gzip	486 B	484 B	N/A
Overall change	0 B	0 B	✓

Rendered Page Sizes

	vercel/next.js canary	tmilewski/next.js fix/x-forwarded-headers-middleware-host	Change
index.html gzip	528 B	526 B	N/A
link.html gzip	542 B	542 B	✓
withRouter.html gzip	524 B	521 B	N/A
Overall change	542 B	542 B	✓

Edge SSR bundle Size

	vercel/next.js canary	tmilewski/next.js fix/x-forwarded-headers-middleware-host	Change
edge-ssr.js gzip	92.6 kB	92.6 kB	N/A
page.js gzip	145 kB	145 kB	N/A
Overall change	0 B	0 B	✓

Middleware size

	vercel/next.js canary	tmilewski/next.js fix/x-forwarded-headers-middleware-host	Change
middleware-b..fest.js gzip	624 B	626 B	N/A
middleware-r..fest.js gzip	150 B	151 B	N/A
middleware.js gzip	24.8 kB	24.8 kB	N/A
edge-runtime..pack.js gzip	1.92 kB	1.92 kB	✓
Overall change	1.92 kB	1.92 kB	✓

Next Runtimes

	vercel/next.js canary	tmilewski/next.js fix/x-forwarded-headers-middleware-host	Change
app-page-exp...dev.js gzip	167 kB	167 kB	✓
app-page-exp..prod.js gzip	93.3 kB	93.3 kB	✓
app-page-tur..prod.js gzip	94.1 kB	94.1 kB	✓
app-page-tur..prod.js gzip	88.7 kB	88.7 kB	✓
app-page.run...dev.js gzip	137 kB	137 kB	✓
app-page.run..prod.js gzip	88 kB	88 kB	✓
app-route-ex...dev.js gzip	23.8 kB	23.8 kB	✓
app-route-ex..prod.js gzip	16.4 kB	16.4 kB	✓
app-route-tu..prod.js gzip	16.4 kB	16.4 kB	✓
app-route-tu..prod.js gzip	16 kB	16 kB	✓
app-route.ru...dev.js gzip	23.2 kB	23.2 kB	✓
app-route.ru..prod.js gzip	16 kB	16 kB	✓
pages-api-tu..prod.js gzip	9.37 kB	9.37 kB	✓
pages-api.ru...dev.js gzip	9.64 kB	9.64 kB	✓
pages-api.ru..prod.js gzip	9.37 kB	9.37 kB	✓
pages-turbo...prod.js gzip	21.8 kB	21.8 kB	✓
pages.runtim...dev.js gzip	22.5 kB	22.5 kB	✓
pages.runtim..prod.js gzip	21.8 kB	21.8 kB	✓
server.runti..prod.js gzip	49 kB	49 kB	N/A
Overall change	875 kB	875 kB	✓

Diff details

Diff for page.js

Diff too large to display

Diff for edge-ssr.js

Diff too large to display

Diff for server.runtime.prod.js

Diff too large to display

Commit: f69806d

[ztanner]

Thanks for the PR!!

[ijjk]

Tests Passed

[hugojos]

nice

[dairyisfine]

Been looking forward to this! Thanks!