https://github.com/eliottvincent/vite-plugin-allowed-hosts

🚦 Specify a list of hosts that are allowed to access your Vite dev server.
https://github.com/eliottvincent/vite-plugin-allowed-hosts

allowed header host server vite

Last synced: about 1 month ago
JSON representation

🚦 Specify a list of hosts that are allowed to access your Vite dev server.

• Host: GitHub
• URL: https://github.com/eliottvincent/vite-plugin-allowed-hosts
• Owner: eliottvincent
• Created: 2023-04-13T09:32:13.000Z (about 3 years ago)
• Default Branch: master
• Last Pushed: 2025-06-17T11:52:32.000Z (about 1 year ago)
• Last Synced: 2025-11-27T12:09:15.159Z (7 months ago)
• Topics: allowed, header, host, server, vite
• Language: JavaScript
• Homepage: https://www.npmjs.com/package/vite-plugin-allowed-hosts
• Size: 163 KB
• Stars: 0
• Watchers: 1
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

          
# Vite Allowed Hosts

[![Build Status](https://github.com/eliottvincent/vite-plugin-allowed-hosts/actions/workflows/test.yml/badge.svg)](https://github.com/eliottvincent/vite-plugin-allowed-hosts/actions) [![Version](https://img.shields.io/npm/v/vite-plugin-allowed-hosts.svg)](https://www.npmjs.com/package/vite-plugin-allowed-hosts) [![Downloads](https://img.shields.io/npm/dt/vite-plugin-allowed-hosts.svg)](https://www.npmjs.com/package/vite-plugin-allowed-hosts)

> Specify a list of hosts that are allowed to access your Vite dev server.

# ⚠️ DEPRECATED

This plugin is now deprecated as Vite provides a native option for this functionality since version 5.4.12.

Please use Vite's built-in [`server.allowedHosts`](htthttps://vite.dev/config/server-options.html#server-allowedhosts) option instead.

## Motivation

By rejecting requests with an unrecognized `Host` header, this plugin prevents **DNS rebinding attacks**, which are possible even under many seemingly-safe web server configurations.

In a [DNS rebinding attack](https://en.wikipedia.org/wiki/DNS_rebinding), an attacker can create a malicious website that makes requests to the development server using the victim’s browser, potentially gaining access to sensitive data or executing unauthorized actions.

## Usage

```js

// vite.config.js

import allowedHostsPlugin from "vite-plugin-allowed-hosts";

export default {

  plugins: [

    allowedHostsPlugin({

      hosts: ["acme.com", ".dev.acme.com"]

    })

  ]

}

```

## Options

#### `hosts`

- **Type:** `'auto' | 'all' | string | string[]`

- **Default:** `'auto'`

  When set to `'auto'`, it will always allow `localhost` and [`server.host`](https://vitejs.dev/config/server-options.html#server-host).

  When set to `'all'`, no header check will be done. This is obviously **not recommended**.

  A value beginning with a period `.` can be used as a subdomain wildcard. For example, `'.acme.com'` will match `acme.com`, `www.acme.com`, and any other subdomain of `acme.com`.

  If the `Host` header doesn't match any value in this list, a **403** Forbidden HTTP error will be returned.

## License

vite-plugin-allowed-hosts is released under the MIT License. See the bundled LICENSE file for details.