[vite 6.0.9] option server.allowedHosts doesn't take into account "true"

[Reaster0]

Describe the bug

hi, i've recently updated vite to 6.0.9, the main change being the allowedHosts server conf field,

it's said in the documentation that if set to true, it will accept any hosts, but even when setting it to true i get the error:

Blocked request. This host ("hidden") is not allowed.
To allow this host, add "hidden" to server.allowedHosts in vite.config.js.

(maybe i could be dumb but it really doesn't seem to work)

Reproduction

google.com

Steps to reproduce

No response

System Info

System:
    OS: Linux 6.8 Ubuntu 24.04.1 LTS 24.04.1 LTS (Noble Numbat)
    CPU: (8) x64 11th Gen Intel(R) Core(TM) i7-1165G7 @ 2.80GHz
    Memory: 4.68 GB / 15.34 GB
    Container: Yes
    Shell: 5.9 - /usr/bin/zsh
  Binaries:
    Node: 18.19.1 - /usr/bin/node
    npm: 9.2.0 - /usr/bin/npm
  Browsers:
    Chrome: 132.0.6834.83
  npmPackages:
    @vitejs/plugin-react: ^4.2.0 => 4.2.1 
    vite: 6.0.9 => 6.0.9

Used Package Manager

npm

Logs

No response

Validations

• Follow our Code of Conduct
• Read the Contributing Guidelines.
• Read the docs.
• Check that there isn't already an issue that reports the same bug to avoid creating a duplicate.
• Make sure this is a Vite issue and not a framework-specific issue. For example, if it's a Vue SFC related bug, it should likely be reported to vuejs/core instead.
• Check that this is a concrete bug. For Q&A open a GitHub Discussion or join our Discord Chat Server.
• The provided reproduction is a minimal reproducible example of the bug.

[sunilranaLivspace]

Yes, same issue coming to me as well when I am trying below config in my vite config file (vite.config.ts). Please fix it.

import { defineConfig } from 'vite';
import react from '@vitejs/plugin-react';

export default defineConfig({
	plugins: [react()],
	build: {
		outDir: 'dist',
		target: 'esnext',
	},
	preview: {
		port: 3000,
		strictPort: true,
		host: '0.0.0.0', 
		allowedHosts: true,
	},
	server: {
		allowedHosts: true
	},
});

[keyurmeandev]

https://vite.dev/config/server-options#server-allowedhosts

Tried to follow the same procedure but not working..

Blocked request. This host ("hostname") is not allowed.
To allow this host, add "hostname" to server.allowedHosts in vite.config.js.

[sapphi-red]

I wasn't able to reproduce it with a simple setup. I need a reproduction to investigate this one.

[github-actions]

Hello @Reaster0. Please provide a minimal reproduction using a GitHub repository or StackBlitz. Issues marked with needs reproduction will be closed if they have no activity within 3 days.

[gregorvand]

Also encountering this after pushing an update today, no changes to vite config
Running on GCP / Cloud Run

[gregorvand]

I resolved this by updating vite.config - what's odd here is that I had not upgraded to 6+ and the error just presented overnight.
Also the type definitions are not happy with this addition, but it works:

export default defineConfig({
	plugins: [sveltekit()],
	server: {
		cors: {
			origin: ['https://mysubdomain.domain.io', 'http://localhost:5173'],
			methods: ['GET', 'POST'],
			allowedHeaders: ['Content-Type']
		},
		allowedHosts: ['mysubdomain.domain.io'] //added this
	}
});

[rodrigocfd]

The problem still exists in 6.0.11.

Downgrading to 6.0.8 makes it work.

[OxCom]

Hm... please take a look into tools that use vite to run. For example I have same issue with vite + storybook, because of storybook. I defined in storybook config the server options:

import {mergeConfig} from 'vite';

// ...

async viteFinal(config) {
        return mergeConfig(config, {
            server: {
                hmr: {
                    path: '/ws'
                }
            }
        });
    },

and the problem is that mergeConfig will replace server options from vite

[rodrigocfd]

Hm... please take a look into tools that use vite to run.

Mine is just a plain Vite project with React. Nothing else.

[Reaster0]

i'm not sure i have the time rn to make a replication for something this simple,
if someone want to provide one

in the mean time i've rollbacked to 6.0.8

it's really a breaking issue for a lot of people,

changing the default allowedHost from 0.0.0.0 to localhost and having a bug on the same field to set back to 0.0.0.0 will break a lot of vite installations,
i'll stick on 6.0.8 until it's fixed,
thanks for your hard work nonetheless, vite is great

[Reaster0]

I resolved this by updating vite.config - what's odd here is that I had not upgraded to 6+ and the error just presented overnight. Also the type definitions are not happy with this addition, but it works:

export default defineConfig({
plugins: [sveltekit()],
server: {
cors: {
origin: ['https://mysubdomain.domain.io', 'http://localhost:5173'],
methods: ['GET', 'POST'],
allowedHeaders: ['Content-Type']
},
allowedHosts: ['mysubdomain.domain.io'] //added this
}
});

yes you can set the hosts you want in allowedHosts, the bug we encounter specifically is when setting allowedHosts to "true"

[sapphi-red]

I've tried it again but still cannot reproduce. I need a reproduction.

[gregorvand]

yes you can set the hosts you want in allowedHosts, the bug we encounter specifically is when setting allowedHosts to "true"

Understood, I also tried allowedHosts: true and it was breaking under that.

I am now using 6.0.10 so can only speak to that version.

[arifszn]

Also happening for latest 4.x.x version. Downgrading to v4.4.5 fixed it.

[sapphi-red]

Caution

Please note that downgrading will make you vulnerable to attacks described in GHSA-vg6x-rcgg-rjx6.

[sapphi-red]

So, we have two choices: an insecure version or a buggy version...

No, those are not the only choices.
You have a third choice to create a PR that fixes your problem, and a fourth choice to create a reproduction so that others can investigate the cause.

[augustoamaro]

Blocked request. This host ("myhost.com") is not allowed.
To allow this host, add "myhost.com" to preview.allowedHosts in vite.config.js.

• I added it to vite.config.js and it didn't work.
• I downgraded to version 4.5.0 and it remains the same
• I'm using nginx in my server
• The application is being run in Docker

[JustinYLee]

putting all the settings in the server block worked for allowedHosts: true or ['dev.mydomain.com']

no problem with "npm run dev"

I was accessing my dev server from outside network domain name. I configured my router to forward port 8080 to the dev server. It would error without the setting.

import { fileURLToPath, URL } from 'node:url'

import { defineConfig } from 'vite'
import vue from '@vitejs/plugin-vue'
import vueDevTools from 'vite-plugin-vue-devtools'

// https://vite.dev/config/
export default defineConfig({
plugins: [
vue(),
vueDevTools(),
],
server: {
port: 8080,
strictPort:true,
host: '0.0.0.0',
//allowedHosts: ['dev.mydomain.com']
allowedHosts: true
},
resolve: {
alias: {
'@': fileURLToPath(new URL('./src', import.meta.url))
},
},
})

[gregorvand]

@sapphi-red could it be fair to say the issue was introduced here? bd896fb

With more time happy to help debug and reproduce, but trying to keep this moving

[sapphi-red]

could it be fair to say the issue was introduced here? bd896fb

@gregorvand That commit is the one that introduced server.allowHosts option so I think yes.

[gregorvand]

Thanks @sapphi-red , a couple of things stand out -

default for allowedHosts being set to [] but not being overridden by true - so, an issue with where the user config is merged with the default config.

and / or, bd896fb#diff-abb3345b6e3b2ec6d297c2ebc54cca85ae4487a31bac3cc9e78457f5114adb26R864 removing allowedHosts !== true here so as not to trigger the middleware when not required?

Will hopefully have more time later this week to look more

[Fab1en]

I use MedusaJS and have the same issue.
Here is the configuration I used to bypass the problem :

// medusa-config.ts
module.exports = defineConfig({
  // ...
  admin: {
    vite: config => {
      config.server.allowedHosts = ['my.custom.domain.com']
      return config;
    }
  },
})

[meliyahu]

Yeah, we are using vite: 5.1.3 with React 18 (works for local dev...but when we do deployment on docker image in K8s with nginx proxy we encouter this issue too!!) Ay Karamba! Trying to leave no stone unturned to fix it!

[malekhijazi]

I had the same issue while developing a Shopify-Remix app and using Ngrok as a tunnel. At first everything was working fine and suddenly it stopped working and vite was blocking all Ngrok requests even though it was added in server.allowedHosts.

After some debugging and trying to run vite separately using npm run vite
it gave an error:
Port 3000 is in use, trying another one

And indeed there was something already running on port 3000. The issue went away after that.

I suggest running vite on the project to check for any errors

npm run vite

Hope this helps someone ✌

[mdesantis]

Weirdly enough, I don't have this issue on my Linux machine, but I have it on the Mac. Here on the Mac, only localhost is going to be allowed, no matter how I set server.allowedHosts, true, a list of hosts or whatever.

[mdesantis]

Update: I spotted the error on my project. Basically, I'm visiting the application using a custom local domain that is not localhost (something.localhost.localdomain). Adding .localhost.localdomain to server.allowedHosts is not enough, because Vite client tries to start the ws connection on localhost, where it can't find the websocket, as it's on something.localhost.localdomain:3036. I fixed starting the Vite server with the option --host something.localhost.localdomain (actually, I used VITE_RUBY_HOST=demos.localhost.localdomain bin/vite dev as I'm using Vite Ruby, but that should be a detail).

Thing is, I don't have this error on the Linux machine. Only here on the Mac.

TL;DR If you're using a custom local domain, try to start the Vite dev server with the --host option set to whichever host you're using (docs: https://vite.dev/guide/cli.html#vite).

Update 2:

Even more surprisingly, I was able to fix the issue on OSX without setting --host something.localhost.localdomain, just adding the custom domain to the hosts file also for IPv6:

127.0.0.1 localhost localhost.localdomain something.localhost.localdomain
::1       localhost localhost.localdomain something.localhost.localdomain

[CollinHerber]

I don't understand why this was closed. I'm finding myself reverting to 6.0.8 to resolve this issue.
This appears to be an issue related to Mac specifically.
I'm using Storybook specifically and seeing this issue.

[patak-dev]

@CollinHerber it was closed because nobody provided a minimal reproduction. Please create a new issue following the issue template.

[gregorvand]

@patak-dev what form of minimal reproduction is sufficient here? When the issue seems to lie with deploying to infra vs local environment

[CollinHerber]

You can kinda mimic this by using ngrok and using the link that it provides. The link will be blocked because allowedHosts is ignored.

[sapphi-red]

@gregorvand I'm fine with a reproduction using docker (+ docker-compose). You can also provide a bigger reproduction. Then, I can ask you trimming down the unrelated stuff.

@CollinHerber Please create an issue with minimal reproduction (without storybook). If it only reproduces with storybook, then it can be due to storybook instead, so please report there first.

[mmzolo]

Hi @sapphi-red, I've made an issue with some reproduction steps which I hope assist you: #19411

This is definitely not a storybook issue.

Because I see the problem in a Docker context, and it involves routing configuration, I wasn't able to do a vite.new reproduction, but I hope the steps in there are helpful.

[MariuzM]

Jezus what a complete mess sorry but how was this release to prod when its just breaking for everyone?

[jwknz]

I reverted back to 6.0.9 (down from 6.1.0) in docker (build on a mac m1) and it is still not working.

[zfi]

The issue appeared in 6.0.9. Try 6.0.8. That worked for me until we get this figured out.

[jwknz]

Sorry I made a typo - I tried 6.0.8 - and it was still there

[seekwhencer]

Same here with Astro. Using Docker and jwilders nginx reverse proxy.

Blocked request. This host ("my.server.addresss") is not allowed. To allow this host, add "my.server.addresss" to server.allowedHosts in vite.config.js.

but, if i add it to server.allowedHosts - same as before... it tried server.allowedHosts = true or server.cors.origin = true

Vite version 6.0.11

[bmg817]

Same issue when running:

cloudflared tunnel --url http://localhost:8081

on a react app that runs with pnpm run dev (note that accessing localhost works perfectly fine -- it's the cloudflared service that does not).

I'm on a macbook air m1 chip from 2020.

No resolution and blocked if using 6.0.9, 6.1.0 and 6.1.1. Downgraded to 6.0.8 and it is now resolved.

[kyllerss]

Thank you, @mdesantis ! Setting the --host parameter did the trick for me.

[seekwhencer]

In Astro.js i have found the solution. Just add the "vite" property to the config and place all the server config under this property. Then it works. Its not documented.

[Reaster0]

@seekwhencer do you have an example? i don't really get what you're saying

[Reaster0]

@sapphi-red @bluwy @patak-dev do you have an idea on this still active issue? thanks

[patak-dev]

@Reaster0 this issue was closed because there was no minimal reproduction. You linked to google.com as the reproduction. If you or others are still experiencing issues, please create a new issue with a minimal reproduction if there is something new for vite contributors to check out. Check your dependencies, as Nuxt, Astro, Storybook, Laravel, and many others have now released versions to address the security vulnerability that triggered the change in a patch.

[Reaster0]

it's really only a basic config with in vite.config.js the option server.allowedHosts=true
but i'll do a reproduction if that's really needed

[Reaster0]

FIXED (at least for me)

so i was making a git for reproduction, a basic vite + react project, + custom domain in the hosts file
but i didn't manage to reproduce. then i tried everything that was different from my main project, and then when i used a dockerfile to host the reproduction project, i reproduced! so the hunt begin to understand the fuck happened in this dockerfile
here is the one i used, if you can see the issue

FROM node:22.13.0-alpine AS base

RUN mkdir -p /home/node/app && chown node:node /home/node/app
WORKDIR /home/node/app
USER node

FROM base AS build
COPY --chown=node:node . .
RUN npm i


RUN npm run build

FROM base AS main
# ENV NODE_ENV=production
COPY --from=build ./home/node/app/package.json ./
COPY --from=build --chown=node:node /home/node/app/dist ./dist
RUN npm i

CMD ["npm", "run", "preview", "--", "--host", "--port", "9001"]

yes, in the final stage i miss the vite.config.ts file,
should have the line:
COPY --from=build ./home/node/app/vite.config.ts ./
but i didn't thought it would be needed because the others options where taken into account so from the start of the projet i never added it in the final stage
(here is mine for reference)

import { defineConfig } from 'vite'

const VITE_URL_PREFIX= process.env.VITE_URL_PREFIX


// https://vitejs.dev/config/
export default defineConfig({
  build:{
    outDir: `dist${VITE_URL_PREFIX}` // Les fichiers construits iront dans dist/hello
  },
  base:`${VITE_URL_PREFIX? VITE_URL_PREFIX: `/`}`,// Définit le chemin de base pour toutes les ressources
  server: {
	allowedHosts: true
  }
})

because even if all of the other values are used during the build stage, the "server" is used when invoking the vite server, so he don't have it, right?

so the issue was:
IM A DUMBASS THAT FORGOT THE VITE.CONFIG.TS FILE
(if you come accross this issue in the future, check again if you have the config file at the moment you invoke vite)

@patak-dev @sapphi-red you can tell me "told you, can't reproduce" :')

[SparksFlyx3]

I resolved the issue by NOT using vite preview anymore, but installing http-server and running http-server dist.
Worked right out of the box! 🚀