Option to change `Origin` header

[severin]

Hey there,

it seems like I misunderstood the changeOrigin option: I assumed that it changes the Origin header to match the target, but looking at the code and reading the description carefully I realize that it actually changes the Host header.

I'm working with some API backends that look at the Origin header to spot CSRF issues. So I use a proxy to "spoof" the Origin header when developing locally so that the backend API thinks my frontend is running on the same domain.

I feel that this is a common use case and I wonder if you consider either extending the changeOrigin option to modify both Host and Origin header or adding a new option (no idea about the name) that changes the Origin header.

I'm happy to work on a pull request if you consider this valuable.

BTW, at the moment I'm working around the issue like this:

const TARGET = 'https://api.endpoint'

const proxy = createProxyServer({ target: TARGET })
proxy.on("proxyReq", (proxyReq, req, res, options, socket) => {
  proxyReq.setHeader("Origin", TARGET);
});

[williamstein]

I don't know why changeOrigin is named the way it is, so I ran a GPT-5.1 deep dive, where it reads many relevant past PR's, etc., and it wrote this: https://chatgpt.com/share/692dad18-60c0-800e-a1d2-136c8813458a

Summary:

• there are very real security concerns
• vite addressed a very similar point last year

No matter what, there's some clear ways to improve http-proxy-3 wrt to this, ranging from adding your examples in the docs to adding a new clearly named option (with caveats). I am interested in a PR that improves the situation.