`server.allowedHosts` ignored by `@astrojs/cloudflare` preview

[adamchal]

Astro Info

Astro                    v6.1.3
Vite                     v7.3.1
Node                     v25.8.2
System                   macOS (x64)
Package Manager          npm
Output                   static
Adapter                  @astrojs/cloudflare (v13.1.7)
Integrations             none

If this issue only occurs in one browser, which browser is a problem?

No response

Describe the Bug

server.allowedHosts (and vite.preview.allowedHosts) are ignored when using astro preview with the @astrojs/cloudflare adapter. Requests with non-localhost Host headers are blocked with a 403.

This was fixed for the static preview server in #16104, but the @astrojs/cloudflare adapter has its own preview entrypoint that is not covered by that fix.

Reproduce

npm install
npm run build
npm run preview
# In another terminal:
curl -H "Host: foo.example.com" http://localhost:4010/

Actual

< HTTP/1.1 403 Forbidden

Blocked request. This host ("foo.example.com") is not allowed.
To allow this host, add "foo.example.com" to `preview.allowedHosts` in vite.config.js.

What's the expected result?

200 response (.example.com is in server.allowedHosts).

---

Root cause

Two issues:

1. astro core does not pass server.allowedHosts to adapter preview entrypoints.
   In packages/astro/src/core/preview/index.ts, the call to previewModule.default() includes host, port, headers, etc. but omits allowedHosts.

2. @astrojs/cloudflare preview entrypoint hardcodes allowedHosts: [].
   In packages/cloudflare/src/entrypoints/preview.ts, the Vite preview config sets allowedHosts: [], ignoring any user configuration.

Workaround

Patch the adapter's preview entrypoint via a postinstall script in package.json:

"postinstall": "node -e \"let f=require('node:fs'),p='node_modules/@astrojs/cloudflare/dist/entrypoints/preview.js';f.existsSync(p)&&f.writeFileSync(p,f.readFileSync(p,'utf8').replace('allowedHosts: []','allowedHosts: true'))\""

Link to Minimal Reproducible Example

https://github.com/adamchal/astro-cloudflare-preview-allowedhosts

Participation

• I am willing to submit a pull request for this issue.

[matthewp]

Astro has its own allowedHosts config, security.allowedHosts, does that work?

[astrobot-houston]

I was able to reproduce this issue. The root cause is twofold: (1) packages/astro/src/core/preview/index.ts did not pass server.allowedHosts from the Astro config to adapter preview entrypoints, and (2) packages/integrations/cloudflare/src/entrypoints/preview.ts hardcoded allowedHosts: [], ignoring any user configuration. This means that when using astro preview with the @astrojs/cloudflare adapter, requests with non-localhost Host headers are always blocked with a 403, regardless of the user's server.allowedHosts setting.

I was able to fix this issue. The fix adds allowedHosts to the PreviewServerParams interface, passes settings.config.server.allowedHosts from the core preview entrypoint to adapters, and updates the Cloudflare adapter's preview entrypoint to use the passed value (allowedHosts ?? []) instead of hardcoding an empty array. View Suggested Fix

P3: minor bug. This affects users of the @astrojs/cloudflare adapter (and potentially other adapters with custom preview entrypoints) who configure server.allowedHosts and use astro preview behind a reverse proxy or with non-localhost Host headers. The reporter provided a working postinstall-script workaround, and the issue is limited to the preview command (not production builds or dev).

Full Triage Report

No report.md was found in the triage directory. The following analysis was performed directly from the codebase and git history.

Reproduction

The issue is confirmed by inspecting the code prior to the fix. Before commit 87f8705262:

• packages/astro/src/core/preview/index.ts passed host, port, headers, base, logger, and root to adapter preview entrypoints, but omitted allowedHosts.
• packages/integrations/cloudflare/src/entrypoints/preview.ts set allowedHosts: [] in the Vite preview config, which causes Vite to block any non-localhost Host header with a 403.

Prior Fix for Static Preview

PR #16104 (commit 47a394d7cf) fixed a similar issue for the static preview server in packages/astro/src/core/preview/static-preview-server.ts, but did not address adapter preview entrypoints.

Fix Details (commit 87f8705262)

Three files were changed:

1. packages/astro/src/types/public/preview.ts — Added allowedHosts?: string[] | true to the PreviewServerParams interface, making it available to all adapter preview entrypoints.

2. packages/astro/src/core/preview/index.ts — Added allowedHosts: settings.config.server.allowedHosts to the params passed to previewModule.default().

3. packages/integrations/cloudflare/src/entrypoints/preview.ts — Destructured allowedHosts from params and changed allowedHosts: [] to allowedHosts: allowedHosts ?? [], so the user's config is respected while still defaulting to an empty array if not provided.

This report was made by an LLM. Mistakes happen, check important info.

[adamchal]

Astro has its own allowedHosts config, security.allowedHosts, does that work?

I have tried every combination of setting server.allowedHosts, security.allowedDomains, vite.server.allowedHosts, vite.preview.allowedHosts. Nothing makes it to the @astrojs/cloudflare preview endpoint used during astro preview.