webpack-dev-server: "Invalid Host/Origin Header" warning

PLEASE READ

We are working on this problem. It is regression problem after fixing security error. Security issues are always high priority and we would not want to revert it, but it is require some changes in https://github.com/sockjs/sockjs-node/pull/247, we have workaround for this problem https://github.com/webpack/webpack-dev-server/pull/1608, but need some feedback. Feel free to feedback.

Fast workaround (put it in your devServer property in config):

disableHostCheck: true




We apologize for the situation. Thanks for helping us do webpack better. ⭐ ⭐ ⭐

  • Operating System: macos 10.14.2
  • Node Version: 11.5.0
  • NPM Version: 6.4.1
  • webpack Version: 4.28.1
  • webpack-dev-server Version: 3.1.11
  • This is a bug

Code

  // webpack.config.js
const path = require('path');
const HtmlWebpackPlugin = require('html-webpack-plugin');
const MiniCssExtractPlugin = require('mini-css-extract-plugin');

module.exports = {
  entry: [
    './src/main.css',
    './src/main.js'
  ],
  output: {
    path: path.resolve(__dirname, 'dist'),
    filename: 'index.js'
  },
  plugins: [
    new HtmlWebpackPlugin({
      template: './src/main.html'
    }),
    new MiniCssExtractPlugin({
      filename: 'index.css'
    })
  ],
  module: {
    rules: [
      {
        test: /\.css$/,
        use: [
          MiniCssExtractPlugin.loader,
          'css-loader'
        ]
      },
      {
        test: /\.js$/,
        exclude: /node_modules/,
        use: 'babel-loader'
      }
    ]
  },
  stats: {
    children: false,
    modules: false
  },
  devServer: {
    proxy: {
      '/api': 'http://localhost:3000'
    },
    stats: {
      children: false,
      modules: false
    }
  }
};

Expected Behavior

No warnings

Actual Behavior

Getting “Invalid Host/Origin Header” warning in browser console

For Bugs; How can we reproduce the behavior?

install webpack-dev-server@3.1.11 and run (v3.1.10 working as expected).

image

About this issue

  • Original URL
  • State: closed
  • Created 6 years ago
  • Reactions: 89
  • Comments: 59 (22 by maintainers)

Commits related to this issue

Most upvoted comments

@mrbbm I just had that very problem after upgrading my project to angular 7.2.0. I fixed it by modifying my package.json file as so:

{
  ...
  "scripts": {
    "ng": "ng",
    "start": "ng serve --disableHostCheck=true",    <===== HERE
    "build": "ng build --extract-css",
   ...
+25
dstj on Jan 10, 2019

@ravshansbox it is security fix, looks you origin than you use in config, you can use disableHostCheck: true in you case, anyway can you create minimum reproducible test repo?

+25
alexander-akait on Dec 21, 2018

Even with disableHostCheck now after updating I can not get rid of these errors.

+18
neverblued on Jul 14, 2019

This is happening now on webpack 5 and disableHostCheck is not part of the api anymore. Any thoughts?

+9
testacode on Jun 7, 2021

It happens again for me with the following versions:

{
  "webpack-cli": "3.2.0",
  "webpack-dev-server": "3.1.14"
}

error

Does it occur to you guys?

+9
davidpelayo on Jan 3, 2019

I am running 3.11.0 webpack-dev-server and still having this problem after specifying disableHostCheck: true

+8
variable on Aug 17, 2020

Looks like the issue has been solved. Thanks

+6
alan-agius4 on Dec 24, 2018

This also affects projects created with @vue/cli - tested a few minutes ago with 3.1.12.

+6
lbogdan on Dec 22, 2018

with disableHostCheck: true there is no warning.

+5
ravshansbox on Dec 21, 2018

Yes, it seems the npmjs security team does not know what is going on.

Reported https://npm.community/t/advisory-725-inconsistently-marks-affected-versions/4333

+4
pauldraper on Jan 1, 2019

I also am getting this error in Firefox 64.0 with version 3.1.11. Reverting to 3.1.10 fixes it.

+4
lambcode on Dec 22, 2018

@kevinmu17 the disableHostCheck: true option was removed in favor of allowedHosts: "all", for more information please refer to our migration guide - https://github.com/webpack/webpack-dev-server/blob/master/migration-v4.md

+3
snitin315 on Aug 19, 2021

webpack-dev-server@3.1.14 is not fixed this issue

+3
cc616 on Jan 1, 2019

Yep, 3.1.14 works fine 👍

+3
carlosgeos on Dec 25, 2018

#1608 is working for me (Node 11.5.0 and SockJS 0.3.19)

+3
carlosgeos on Dec 22, 2018

If you’re using @angular-builders/custom-webpack try this:

// custom-webpack.config.js
module.exports = {

  devServer: {
    disableHostCheck: true
  },

   plugins: []
};
+2
simeyla on Jul 13, 2020

@carlosgeos

Hi, I have no problem with this minimal example (with the latest versions of webpack-cli and webpack-dev-server): https://github.com/carlosgeos/simple-webpack-repo

@mrbbm in the webpack config like this:

module.exports = {
  // ...
  devServer: {
    disableHostCheck: true
  }
  // ...
};

Thanks for your reply. I would like to know where could I add in my Angular 7 project, there won’t be any file namely webpack.config

+2
mrbbm on Jan 4, 2019

@davidpelayo yes, it is happening for me as well with the latest versions of both webpack-cli and webpack-dev-server

For now, I’ve added:

disableHostCheck: true,

…which skirts around the issue.

+2
khalwat on Jan 4, 2019

I can also confirm that the issue still exists

+2
davidpelayo on Dec 22, 2018

I am seeing this issue as well with 3.1.11. Rolling back to 3.1.10 fixes it.

+2
bwigs on Dec 21, 2018

@kevinmu17 the disableHostCheck: true option was removed in favor of allowedHosts: "all", for more information please refer to our migration guide - https://github.com/webpack/webpack-dev-server/blob/master/migration-v4.md

This link should be available on https://webpack.js.org/configuration/dev-server/ This was a live saver, I was banging my head, the information is very well explained and it took me a few hours to migrate. Thank you very much for pointing this out!

+1
kevinmu17 on Aug 19, 2021

I see this message consistently when I run my project via Fiddler at localhost.fiddler:4200 and not when I use localhost:4200.

+1
Logopher on Aug 26, 2020

@khalwat >

@davidpelayo yes, it is happening for me as well with the latest versions of both webpack-cli and webpack-dev-server

For now, I’ve added:

disableHostCheck: true,

…which skirts around the issue.

Where could I add this disableHostCheck: true, ?

+1
mrbbm on Jan 4, 2019

I tried to add workaround (#1608). It works and resolves this issue in my environment. Please check it.

+1
3846masa on Dec 22, 2018

@3846masa let’s wait some time and revert it, maybe we can implement workaround on our side, need investigate, feel free to do it, thanks

+1
alexander-akait on Dec 22, 2018

Please don’t spam Same problem here or issue still exists, better create minimum reproducible test repo, it is allow to fix all edge cases, thanks!

+1
alexander-akait on Dec 22, 2018

Also, got this issue after upgrading to 3.1.11

+1
rpang77 on Dec 21, 2018
Read more comments on GitHub
← webpack-dev-server: In Webpack 5, the webpack-dev-server hot update encounters a JS syntax error, the websocket will break, and the hot update will not work after the change error is saved.
webpack-dev-server: "lazy" mode does not seem to work in the latest webpack-dev-server →