Specify a list of hosts that are allowed to access your Vite dev server.

This plugin is now deprecated as Vite provides a native option for this functionality since version 5.4.12.

Please use Vite's built-in server.allowedHosts option instead.

By rejecting requests with an unrecognized Host header, this plugin prevents DNS rebinding attacks, which are possible even under many seemingly-safe web server configurations.

In a DNS rebinding attack, an attacker can create a malicious website that makes requests to the development server using the victim’s browser, potentially gaining access to sensitive data or executing unauthorized actions.

// vite.config.js
import allowedHostsPlugin from "vite-plugin-allowed-hosts";

export default {
  plugins: [
    allowedHostsPlugin({
      hosts: ["acme.com", ".dev.acme.com"]
    })
  ]
}

• Type: 'auto' | 'all' | string | string[]

• Default: 'auto'

  When set to 'auto', it will always allow localhost and server.host.

  When set to 'all', no header check will be done. This is obviously not recommended.

  A value beginning with a period . can be used as a subdomain wildcard. For example, '.acme.com' will match acme.com, www.acme.com, and any other subdomain of acme.com.

  If the Host header doesn't match any value in this list, a 403 Forbidden HTTP error will be returned.

vite-plugin-allowed-hosts is released under the MIT License. See the bundled LICENSE file for details.