{"id":17101,"library":"host-validation-middleware","title":"Host Validation Middleware","description":"host-validation-middleware is an npm package providing Connect/Express-compatible middleware designed to protect against DNS rebinding attacks by validating the `Host` header in incoming HTTP requests. The current stable version is 0.1.4, indicating it's still in an early development phase but receives maintenance patches. It differentiates itself by offering flexible host matching, including subdomain wildcard support (e.g., `.mydomain.com`), and automatically allowing `localhost` and IP addresses which are not susceptible to DNS rebinding. While crucial for HTTP development environments, the package explicitly notes that its utility is significantly reduced for HTTPS production sites, as DNS rebinding attacks are generally ineffective against encrypted connections. Its core logic is inspired by the `allowedHosts` option found in `webpack-dev-server`.","status":"active","version":"0.1.4","language":"javascript","source_language":"en","source_url":"https://github.com/sapphi-red/host-validation-middleware","tags":["javascript","connect","development","express","middleware"],"install":[{"cmd":"npm install host-validation-middleware","lang":"bash","label":"npm"},{"cmd":"yarn add host-validation-middleware","lang":"bash","label":"yarn"},{"cmd":"pnpm add host-validation-middleware","lang":"bash","label":"pnpm"}],"dependencies":[],"imports":[{"note":"This package is an ES Module; CommonJS `require()` is not supported directly and will lead to errors.","wrong":"const { hostValidationMiddleware } = require('host-validation-middleware')","symbol":"hostValidationMiddleware","correct":"import { hostValidationMiddleware } from 'host-validation-middleware'"},{"note":"The `isHostAllowed` utility function is also exported as an ES Module, requiring `import` syntax.","wrong":"const { isHostAllowed } = require('host-validation-middleware')","symbol":"isHostAllowed","correct":"import { isHostAllowed } from 'host-validation-middleware'"}],"quickstart":{"code":"import connect from 'connect';\nimport { hostValidationMiddleware } from 'host-validation-middleware';\n\nconst app = connect();\n\napp.use(\n  hostValidationMiddleware({\n    allowedHosts: Object.freeze(['example.com', '.mydomain.com', 'localhost:3000']),\n    generateErrorMessage: (hostname) => `Access denied for host: ${hostname}`,\n    errorResponseContentType: 'text/plain'\n  })\n);\n\napp.use((req, res) => {\n  res.end('Hello, world!');\n});\n\napp.listen(3000, () => {\n  console.log('Server running on http://localhost:3000');\n});","lang":"typescript","description":"Demonstrates setting up host validation with Connect, allowing specified domains and subdomains, and customizing error responses."},"warnings":[{"fix":"Consider if this middleware is truly needed in your production HTTPS setup. It's primarily beneficial for HTTP development servers.","message":"DNS rebinding attacks are generally ineffective against HTTPS sites. This middleware's utility is significantly reduced, and often unnecessary, for production environments where HTTPS is universally used.","severity":"gotcha","affected_versions":">=0.1.0"},{"fix":"Ensure your project is configured for ES Modules by using `import` statements and setting `\"type\": \"module\"` in `package.json`, or by using `.mjs` file extensions.","message":"This package is an ES Module and provides only ES Module exports. Direct `require()` calls in CommonJS environments will fail with module resolution errors (e.g., 'ERR_UNSUPPORTED_DIR_IMPORT' or 'is not a function').","severity":"breaking","affected_versions":">=0.1.0"},{"fix":"Thoroughly test your `allowedHosts` configuration. Use the `.` prefix for subdomains as intended (e.g., `['.yourdomain.com']`). Remember that `localhost` and IP addresses are always allowed automatically.","message":"The `allowedHosts` option requires careful configuration. A value like `example.com` only matches the exact domain, while `.example.com` allows `example.com` and all its subdomains. Misunderstanding this can lead to legitimate requests being blocked.","severity":"gotcha","affected_versions":">=0.1.0"}],"env_vars":null,"last_verified":"2026-04-22T00:00:00.000Z","next_check":"2026-07-21T00:00:00.000Z","problems":[{"fix":"Update your import statement to use ES Module syntax: `import { hostValidationMiddleware } from 'host-validation-middleware';` and ensure your Node.js environment supports ES Modules.","cause":"Attempting to use CommonJS `require()` syntax to import `hostValidationMiddleware` from an ES Module package.","error":"TypeError: (0 , host_validation_middleware_1.hostValidationMiddleware) is not a function"},{"fix":"Review the `allowedHosts` array in your `hostValidationMiddleware` configuration. Verify that the requested host (e.g., `mydomain.com`, `sub.mydomain.com`) is correctly listed or covered by a wildcard entry (e.g., `.mydomain.com`). Also, check for typos in the host header being sent by the client.","cause":"The `Host` header of the incoming HTTP request does not match any of the allowed patterns configured in `allowedHosts`.","error":"403 Forbidden (HTTP response)"},{"fix":"Either convert the importing file to an ES Module (by adding `\"type\": \"module\"` to your `package.json` or changing the file extension to `.mjs`) or refactor to use dynamic `import()` within the CommonJS context if absolutely necessary, though direct ESM conversion is preferred for modern Node.js applications.","cause":"A CommonJS file is trying to import an ES Module package, and Node.js cannot resolve the module graph correctly due to the mismatch.","error":"ERR_UNSUPPORTED_DIR_IMPORT"}],"ecosystem":"npm","meta_description":null}