Specify a list of hosts that are allowed to access your Vite dev server.
By rejecting requests with an unrecognized Host
header, this plugin prevents DNS rebinding attacks, which are possible even under many seemingly-safe web server configurations.
In a DNS rebinding attack, an attacker can create a malicious website that makes requests to the development server using the victim’s browser, potentially gaining access to sensitive data or executing unauthorized actions.
// vite.config.js
import allowedHostsPlugin from "vite-plugin-allowed-hosts";
export default {
plugins: [
allowedHostsPlugin({
hosts: ["acme.com", ".dev.acme.com"]
})
]
}
-
Type:
'auto' | 'all' | string | string[]
-
Default:
'auto'
When set to
'auto'
, it will always allowlocalhost
andserver.host
.When set to
'all'
, no header check will be done. This is obviously not recommended.A value beginning with a period
.
can be used as a subdomain wildcard. For example,'.acme.com'
will matchacme.com
,www.acme.com
, and any other subdomain ofacme.com
.If the
Host
header doesn't match any value in this list, a 403 Forbidden HTTP error will be returned.
vite-plugin-allowed-hosts is released under the MIT License. See the bundled LICENSE file for details.