disallow setting host header in fetch by KhafraDev · Pull Request #2322 · nodejs/undici (original) (raw)

this matches what cloudflare workers and deno do

FWIW, the reason Cloudflare Workers does this is arguably pretty specific to Cloudflare: Many origin servers that sit behind Cloudflare are configured to allowlist Cloudflare IPs and use host header verification to make sure that requests coming from Cloudflare actually came through their Cloudflare account. This was true before Workers was introduced. So allowing Workers to rewrite host headers would have allowed bypassing security configuration on existing origin servers.

Browsers, of course, need to restrict setting of the Host header because otherwise all kinds of CORS bypass would be possible. However, CORS really only applies to browsers, not servers. (Even Cloudflare doesn't implement CORS restrictions.)

I'm not sure if there's any need for Node to implement the same restriction, and indeed the ability to rewrite the host header is usually necessary when implementing reverse proxies, since you typically want the upstream app server to receive the original host header as sent by the browser, not a host header specifying its internal hostname.