next.js: `x-forwarded-host` header does not match `origin`
Link to the code that reproduces this issue
https://github.com/lewisnewson/nextjs-14.0.2-bug-report
To Reproduce
- Clone the attached git repo
- Deploy the
mainbranch onto a basic Heroku dyno - Open the application in a new browser window
- Observe the error printed in the Heroku server logs
Current vs. Expected behavior
Currently:
- Server action called
- Fails on the server with the error “
x-forwarded-hostheader with valuelocalhost:23380does not matchoriginheader with valuenextjs-14-0-2-bug-report-4ea064a57303.herokuapp.comfrom a forwarded Server Actions request. Aborting the action. – Error: Invalid Server Actions request.”
What should happen:
- Server action called
- Executed correctly server-side (prints example todos)
Verify canary release
- I verified that the issue exists in the latest Next.js canary release
Provide environment information
Operating System:
Platform: linux
Arch: x64
Version: #54~20.04.1-Ubuntu SMP Fri Oct 6 22:04:33 UTC 2023
Binaries:
Node: 20.9.0
npm: 10.1.0
Yarn: N/A
pnpm: N/A
Relevant Packages:
next: 14.0.3-canary.0
eslint-config-next: N/A
react: 18.2.0
react-dom: 18.2.0
typescript: N/A
Next.js Config:
output: N/A
Which area(s) are affected? (Select all that apply)
App Router
Additional context
Since upgrading from 14.0.1 to 14.0.2, deployments into a Heroku environment have now seen issues arise with the use of server actions. This can be shown in the example provided, when deployed to Heroku, loading the application prints the error message into the console of the dyno.
This issue does not happen when running next dev on a local machine, instead it only seems to appear when the application is deployed into production.
About this issue
- Original URL
- State: closed
- Created 8 months ago
- Reactions: 27
- Comments: 34 (6 by maintainers)
Commits related to this issue
- fix: fix: x-forwarded-host not match https://github.com/vercel/next.js/issues/58295 — committed to xiaomingTang/next-app by xiaomingTang 8 months ago
This is fixed in 14.0.3, upgrade to next 14.0.3 and the error will be gone.
i’m on v14.0.3 and using this works for me. on next.config.js
serverActions: { allowedOrigins: ["xxxx.com", "localhost:3001"], }ps. do not add HTTP or https on origins
This will be fixed by #58500
I’ve had the same issue with nginx. I tried using serverActions.allowedOrigins and also experimental.serverActions.allowedOrigins / allowedHosts but didn’t help. Downgrading to 14.0.1 fixed the problem. Hope the next update fix this.
Issue also happens for me when running
next devon a local machine if you access app not via localhost but through another address in local network, like192.168.1.2:3000. Works without errors on 14.0.1.Confirmed this is now solved in version 14.0.3.
Thanks all!
Tried to add it to the next config but didn’t work. Not sure where there is a breaking change in a minor version update anyways.
This fixed it for me
Yes, on my end it looks like this:
proxy_set_header X-Forwarded-Host $host:3003My two cents worth on another thread on the same issue.
Fantastic, adding their recommendation of the following sorted the issue for me;
next.config.js
experimental.serverActions.allowedOrigins: ["https://nextjs-14-0-2-bug-report-4ea064a57303.herokuapp.com"]So for those needing a hand with this, the above should work as fix.
Thanks for digging that out @JavierMartinz
@lewisnewson https://github.com/vercel/next.js/issues/58019#issuecomment-1803925492