Security fix:
This version contains a security fix, which is also breaking change if you have an insecure configuration.
We are releasing this breaking change as patch version to protect you from attacks.
Sorry if this breaks your setup, but the fix is easy.
We added a check for the correct Host header to the webpack-dev-server.
This allowed evil websites to access your assets.
The Host header of the request have to match the listening adress or the host provided in the public option.
Make sure to provide correct values here.
The response will contain a note when using an incorrect Host header.
For usage behind a Proxy or similar setups we also added a disableHostCheck option to disable this check.
Only use it when you know what you do. Not recommended.
This version also includes this security fix for webpack-dev-middleware: https://github.com/webpack/webpack-dev-middleware/releases/tag/v1.10.2
Note: This only affect the development server and middleware. webpack and built bundles are not affected.
Credits to Ed Morley from Mozilla for reporting the issue.
Bugfixes:
- Requests are not blocked when
Hostdoesn't match listening host orpublicoption. - Requests to
localhostor127.0.0.1are not blocked.
Features:
- Added
disableHostCheckoption to disable the host check