From ba0d0daf9cfcae74c5012c47bf435e532b1355bd Mon Sep 17 00:00:00 2001 From: Dan Abramov Date: Sat, 20 May 2017 18:34:16 +0100 Subject: [PATCH] Only enable host check if you use proxy, and add a way to opt out of it (#2288) * Disable host check if you don't use proxy * Add a way to opt out and document it --- .../config/webpackDevServer.config.js | 18 +++++++++++++ packages/react-scripts/template/README.md | 27 +++++++++++++++++++ 2 files changed, 45 insertions(+) diff --git a/packages/react-scripts/config/webpackDevServer.config.js b/packages/react-scripts/config/webpackDevServer.config.js index 8d7eb0f1b5e..94d8c665197 100644 --- a/packages/react-scripts/config/webpackDevServer.config.js +++ b/packages/react-scripts/config/webpackDevServer.config.js @@ -19,6 +19,24 @@ const host = process.env.HOST || '0.0.0.0'; module.exports = function(proxy, allowedHost) { return { + // WebpackDevServer 2.4.3 introduced a security fix that prevents remote + // websites from potentially accessing local content through DNS rebinding: + // https://github.com/webpack/webpack-dev-server/issues/887 + // https://medium.com/webpack/webpack-dev-server-middleware-security-issues-1489d950874a + // However, it made several existing use cases such as development in cloud + // environment or subdomains in development significantly more complicated: + // https://github.com/facebookincubator/create-react-app/issues/2271 + // https://github.com/facebookincubator/create-react-app/issues/2233 + // While we're investigating better solutions, for now we will take a + // compromise. Since our WDS configuration only serves files in the `public` + // folder we won't consider accessing them a vulnerability. However, if you + // use the `proxy` feature, it gets more dangerous because it can expose + // remote code execution vulnerabilities in backends like Django and Rails. + // So we will disable the host check normally, but enable it if you have + // specified the `proxy` setting. Finally, we let you override it if you + // really know what you're doing with a special environment variable. + disableHostCheck: !proxy || + process.env.DANGEROUSLY_DISABLE_HOST_CHECK === 'true', // Enable gzip compression of generated files. compress: true, // Silence WebpackDevServer's own logs since they're generally not useful. diff --git a/packages/react-scripts/template/README.md b/packages/react-scripts/template/README.md index c7ce127ff40..25b469fb680 100644 --- a/packages/react-scripts/template/README.md +++ b/packages/react-scripts/template/README.md @@ -42,6 +42,7 @@ You can find the most recent version of this guide [here](https://github.com/fac - [Node](#node) - [Ruby on Rails](#ruby-on-rails) - [Proxying API Requests in Development](#proxying-api-requests-in-development) + - ["Invalid Host Header" Errors After Configuring Proxy](#invalid-host-header-errors-after-configuring-proxy) - [Configuring the Proxy Manually](#configuring-the-proxy-manually) - [Using HTTPS in Development](#using-https-in-development) - [Generating Dynamic `` Tags on the Server](#generating-dynamic-meta-tags-on-the-server) @@ -897,6 +898,32 @@ If the `proxy` option is **not** flexible enough for you, alternatively you can: * Enable CORS on your server ([here’s how to do it for Express](http://enable-cors.org/server_expressjs.html)). * Use [environment variables](#adding-custom-environment-variables) to inject the right server host and port into your app. +### "Invalid Host Header" Errors After Configuring Proxy + +When you enable the `proxy` option, you opt into a more strict set of host checks. This is necessary because leaving the backend open to remote hosts makes your computer vulnerable to DNS rebinding attacks. The issue is explained in [this article](https://medium.com/webpack/webpack-dev-server-middleware-security-issues-1489d950874a) and [this issue](https://github.com/webpack/webpack-dev-server/issues/887). + +This shouldn’t affect you when developing on `localhost`, but if you develop remotely like [described here](https://github.com/facebookincubator/create-react-app/issues/2271), you will see this error in the browser after enabling the `proxy` option: + +>Invalid Host header + +To work around it, you can specify your public development host in a file called `.env.development` in the root of your project: + +``` +HOST=mypublicdevhost.com +``` + +If you restart the development server now and load the app from the specified host, it should work. + +If you are still having issues or if you’re using a more exotic environment like a cloud editor, you can bypass the host check completely by adding a line to `.env.development.local`. **Note that this is dangerous and exposes your machine to remote code execution from malicious websites:** + +``` +# NOTE: THIS IS DANGEROUS! +# It exposes your machine to attacks from the websites you visit. +DANGEROUSLY_DISABLE_HOST_CHECK=true +``` + +We don’t recommend this approach. + ### Configuring the Proxy Manually >Note: this feature is available with `react-scripts@1.0.0` and higher.