next.js: Cannot run Server Actions in GitHub Codespaces or VSCode Tunnel

Link to the code that reproduces this issue

https://github.com/waki285/Server-Actions-Bug

To Reproduce

  1. Clone the repository in GitHub Codespaces or VSCode Tunnel.
  2. Start the server with next dev.
  3. Codespaces (or VSCode Tunnel) will automatically perform port forwarding and you can access the launched website through it.
  4. Click the “Execute Server Actions” button.
  5. An error will occur.

Current vs. Expected behavior

Expected: Server Actions are executed successfully and no errors occur.

Current: The following error occurs

`false` header with value `********-3000.***.devtunnels.ms` does not match `origin` header with value `localhost:3000` from a forwarded Server Actions request. Aborting the action.
 ⨯ Error: Invalid Server Actions request.
    at AsyncLocalStorage.run (node:async_hooks:346:14)
    at AsyncLocalStorage.run (node:async_hooks:346:14)

Verify canary release

  • I verified that the issue exists in the latest Next.js canary release

Provide environment information

Operating System:
  Platform: linux
  Arch: x64
  Version: #25-Ubuntu SMP Wed Mar 30 15:54:22 UTC 2022
Binaries:
  Node: 20.9.0
  npm: 10.2.2
  Yarn: N/A
  pnpm: 8.10.2
Relevant Packages:
  next: 14.0.2-canary.11
  eslint-config-next: N/A
  react: 18.2.0
  react-dom: 18.2.0
  typescript: 5.1.3
Next.js Config:
  output: N/A

Which area(s) are affected? (Select all that apply)

App Router

Additional context

No response

About this issue

  • Original URL
  • State: open
  • Created 8 months ago
  • Reactions: 6
  • Comments: 39 (5 by maintainers)

Most upvoted comments

We’ve added an option experimental.serverActions.allowedOrigins in #58023 that allows you to add a list of allowed hosts. The reason it throws by default is that this is a layer of cross site request forgery protection.

Shu is currently out of office till next week but we’ll add support for wildcard patterns once he’s back.

+12
timneutkens on Nov 9, 2023

So Next 14 added some more protection against CSRF attacks. However it caused this problem we’re all running in to. https://github.com/vercel/next.js/pull/57529 allows us to specify a list of allowed forwarded hosts, and it was released in v14.0.2-canary.4

I was able to fix this without messing with the proxy settings (which are configured automatically (and correctly) by apache) by doing the following:

  • Upgrade next to 14.0.2-canary.4
  • Add this to next.config:
experimental: {
  serverActions: {
    // edit: updated to new key. Was previously `allowedForwardedHosts`
    allowedOrigins: ['my-forwarded-host.com'],
  },
},
+10
danieltott on Dec 6, 2023

upgraded to 14.0.2 and added

module.exports = {
    experimental: {
        serverActions: {
            allowedOrigins: ["localhost:3000", "demo.your-actual-domain.com],
        },
    },
}

solved my problem

+8
Wei102193 on Nov 15, 2023

None of these options work for me, Next.js seems to ignore the allowOrigins property. Is there any other workaround, or even a way to just disable this security feature?

+4
aarvinr on Jan 20, 2024 
experimental: {
    serverActions: {
      allowedOrigins: ["xxxxxxxx-3000.xxx.devtunnels.ms" /* or Codespace port forward url, no including scheme */, "localhost:3000"]
    }
  }

I have been able to confirm that this solves the problem.

+4
waki285 on Nov 22, 2023

not work in VSCode Tunnel. I tried both:

experimental: {
    serverActions: {
      allowedForwardedHosts: ["localhost", "xxxxxxxx-3000.xxx.devtunnels.ms"],
      allowedOrigins: ["xxxxxxxx-3000.xxx.devtunnels.ms", "localhost:3000"]
    }
  }

experimental: {
  serverActions: {
    allowedForwardedHosts: ["localhost", "xxxxxxxx-3000.xxx.devtunnels.ms"],
    allowedOrigins: ["https://xxxxxxxx-3000.xxx.devtunnels.ms", "localhost:3000"]
  }
}

error:

`x-forwarded-host` header with value `xxxxxxxx-3000.xxx.devtunnels.ms` does not match `origin` header with value `localhost:3000` from a forwarded Server Actions request. Aborting the action.
 ⨯ Error: Invalid Server Actions request.
    at AsyncLocalStorage.run (node:async_hooks:346:14)
    at AsyncLocalStorage.run (node:async_hooks:346:14)
+4
waki285 on Nov 11, 2023

This is working for me in Codespaces with Next.js 14.1.0:

if (process.env.NODE_ENV == 'development') {
    module.exports = {
        experimental: {
            serverActions: {
                allowedOrigins: ['localhost:3000'],
            },
        },
    }
}
+3
matthewca on Jan 25, 2024

@waki285 Sorry but this is not completed: We still cant use wildacrds in allowOrigins.

@timneutkens @meleyal

+3
jide on Nov 28, 2023

Sorry, I copied and pasted the Origin in Request Headers directly into allowedOrigins and it worked!

Could you please share an example of the version of the configuration that worked for you?

/** @type {import("next").NextConfig} */
module.exports = {
    experimental: {
        serverActions: {
            allowedOrigins: ["demo.example.com:3000"],
        },
    },
}

this worked for me

Following on from this comment using 14.0.3-canary.5 and allowedOrigins works, note that you are not to include http or https protocols, but just have the domain name.

Hopefully there’s some official docs that come with the future releases.

+3
devraj on Nov 14, 2023

Sorry, I copied and pasted the Origin in Request Headers directly into allowedOrigins and it worked!

Could you please share an example of the version of the configuration that worked for you?

/** @type {import("next").NextConfig} */
module.exports = {
    experimental: {
        serverActions: {
            allowedOrigins: ["demo.example.com:3000"],
        },
    },
}

this worked for me

+3
ideactionagency on Nov 13, 2023

This commit adds wildcard support : https://github.com/vercel/next.js/commit/6fbff29a2e312eee0c129184aee4105b6a186771

Available in canary for now.

+2
jide on Dec 16, 2023

BTW, this issue will make the vercel platforms example not work https://demo.vercel.pub/platforms-starter-kit

+2
jide on Nov 15, 2023

Is this a way to set this options in .env? I don’t want to commit next.config.js with my personal codespace domain.

You can use process.env.MY_VAR in your next config

+1
gtjamesa on Dec 21, 2023

This is affecting me and I’m not even using server actions just route handlers & middleware. Multi tenant saas app. When I dump out the request object headers nextjs seems to be modifying the x-forwarded-host header value and lieing about what it was actually sent as? And this was shipped in a 0.0.1 update? Uhhh…

Reverting to 14.0.1 fixes issue.

+1
rshaul on Nov 15, 2023

Shu is currently out of office till next week but we’ll add support for wildcard patterns once he’s back.

@timneutkens any update on wildcard support?

+1
meleyal on Nov 15, 2023

@devraj thanks, but to me the PR seems to only cover a fixed list of origins. See this part of the code :

if (serverActions?.allowedOrigins?.includes(originDomain)) {

And I did not see any mention of wildcard support. Did I miss something ?

+1
jide on Nov 15, 2023

Hello, I am having the same issue here with Nginx proxy. Tried to Upgrade next to 14.0.2-canary.4 and add allowedForwardedHosts but it is not working. Any documentation on how to set up allowedForwardedHosts correctly ?

Not sure if there is any documentation, especially because it is not a full release yet. But you should be able to add this to your next.config.js and replace my-forwarded-host.com with the full domain (including subdomains) of your website being ran through the proxy:

experimental: {
  serverActions: {
    allowedForwardedHosts: ['my-forwarded-host.com'],
  },
},
+1
njfdev on Nov 7, 2023

I’m having this issue with a host that is being served behind an apache ProxyPass/ProxyPassReverse

+1
danieltott on Nov 6, 2023
Read more comments on GitHub
← next.js: Cannot read property 'prefetch' and 'push' of null
next.js: Cannot test <Link> outside of a Page on Next v9.5.0 (Enzyme + Jest) →