Preserve the original x-forwarded-host header if it is set. (#10887)

jamesopstad · web-flow · commit 0de75114d5c2 · 2025-10-06T18:34:20.000+01:00
* Preserve the original x-forwarded-host header if it is set

* Add changeset

* PR feedback
diff --git a/.changeset/five-files-throw.md b/.changeset/five-files-throw.md
@@ -0,0 +1,5 @@
+---
+"@cloudflare/vite-plugin": patch
+---
+
+Preserve the original `x-forwarded-host` header if it is set.
diff --git a/packages/vite-plugin-cloudflare/playground/worker-♫/__tests__/worker.spec.ts b/packages/vite-plugin-cloudflare/playground/worker-♫/__tests__/worker.spec.ts
@@ -32,7 +32,15 @@ test("basic dev logging", async () => {
 	expect(serverLogs.errors.join()).toContain("__console warn__");
 });
 
-test("receives the original host as the `X-Forwarded-Host` header", async () => {
+test("receives the original `x-forwarded-host` header if it is set", async () => {
+	const response = await fetch(`${viteTestUrl}/x-forwarded-host`, {
+		headers: { "x-forwarded-host": "example.com:8080" },
+	});
+
+	expect(await response.text()).toBe("example.com:8080");
+});
+
+test("receives the Vite server host as the `x-forwarded-host` header if the `x-forwarded-host` header is not set", async () => {
 	const testUrl = new URL(viteTestUrl);
 	await vi.waitFor(
 		async () =>
diff --git a/packages/vite-plugin-cloudflare/src/utils.ts b/packages/vite-plugin-cloudflare/src/utils.ts
@@ -70,11 +70,16 @@ export function createRequestHandler(
 }
 
 function toMiniflareRequest(request: Request): MiniflareRequest {
-	// We set the X-Forwarded-Host header to the original host as the `Host` header inside a Worker will contain the workerd host
 	const host = request.headers.get("Host");
-	if (host) {
+	const xForwardedHost = request.headers.get("X-Forwarded-Host");
+
+	if (host && !xForwardedHost) {
+		// Set the `x-forwarded-host` header to the host of the Vite server if it is not already set
+		// Note that the `host` header inside the Worker will contain the workerd host
+		// TODO: reconsider this when adopting `miniflare.dispatchFetch` as it may be possible to provide the Vite server host in the `host` header
 		request.headers.set("X-Forwarded-Host", host);
 	}
+
 	// Undici sets the `Sec-Fetch-Mode` header to `cors` so we capture it in a custom header to be converted back later.
 	const secFetchMode = request.headers.get("Sec-Fetch-Mode");
 	if (secFetchMode) {

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +"@cloudflare/vite-plugin": patch
 +---
++
 +Preserve the original `x-forwarded-host` header if it is set.