Skip to content

feat(server): add trustProxy option for X-Forwarded header support #21282

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
elohmeier wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat(server): add trustProxy option for X-Forwarded header support #21282

elohmeier wants to merge 1 commit into from
+86 −4

Conversation

@elohmeier
Copy link

@elohmeier elohmeier commented Dec 14, 2025

Summary

When running Vite's dev server behind a reverse proxy (nginx, Caddy, etc.), the host validation middleware rejects requests because it validates against the proxy's internal hostname rather than the original client request host.

This PR adds a server.trustProxy option that, when enabled, extracts the original host from X-Forwarded-Host or RFC 7239 Forwarded headers for host validation.

Changes

  • Add trustProxy to CommonServerOptions (defaults to false for security)
  • Add getEffectiveHost() utility in new forwardedHeaders.ts module
  • Update hostValidationMiddleware to use forwarded host when trustProxy is enabled
  • Update WebSocket server host validation to use forwarded host
  • Preview server inherits trustProxy from server config

Usage

// vite.config.js
export default {
  server: {
    trustProxy: true,
    allowedHosts: ['myapp.example.com'],
  },
}

Security Considerations

  • The option is explicitly opt-in (false by default)
  • Only enables trusting proxy headers when the user explicitly configures it
  • Documentation notes that this should only be enabled when running behind a trusted reverse proxy

What is the purpose of this pull request?

  • New feature

Additional context: This addresses a common deployment scenario where Vite runs behind a reverse proxy and DNS rebinding protection (introduced in recent versions) blocks legitimate requests because the Host header contains the internal proxy hostname rather than the public-facing hostname.

@elohmeier
feat(server): add trustProxy option for X-Forwarded header support
0a11735 
When running Vite behind a reverse proxy, the host validation
middleware needs to check the forwarded host rather than the
direct connection host. This adds a `server.trustProxy` option
that, when enabled, uses X-Forwarded-Host and RFC 7239 Forwarded
headers for host validation in both the HTTP middleware and
WebSocket connections.

- Add `trustProxy` to `CommonServerOptions` (defaults to false)
- Add `getEffectiveHost()` utility for extracting forwarded host
- Update `hostValidationMiddleware` to use forwarded host
- Update WebSocket server host validation
- Preview server inherits `trustProxy` from server config
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@elohmeier