Builder-Vite: Fix logic related to setting allowedHosts when IP address used

[JSMike]

Related to #30523, #30432, and #30338

What I did

Previous PR set allowedHosts to true by default, this was reverted but no longer set the allowedHosts value when an IP address was used for options.host.

This change sets allowedHosts to true only if allowedHosts is undefined and an IP address is passed as the host. Otherwise no hostname other than 'localhost' would be allowed to access the devserver.

Note, this is my personal opinion on what the logic should be, to more closely align with existing functionality prior to the breaking change from Vite. If, for security reasons, this is not desired then updating the PR to add a warning to the console would be another good option, along with additional documentation on setting allowedHosts when using the Vite dev-server with Storybook.

Checklist for Contributors

Testing

The changes in this PR are covered in the following automated tests:

• stories
• unit tests
• integration tests
• end-to-end tests

Manual testing

This section is mandatory for all contributions. If you believe no manual test is necessary, please state so explicitly. Thanks!

Documentation

• Add or update documentation reflecting your changes
• If you are deprecating/removing a feature, make sure to update
  MIGRATION.MD

Checklist for Maintainers

• When this PR is ready for testing, make sure to add ci:normal, ci:merged or ci:daily GH label to it to run a specific set of sandboxes. The particular set of sandboxes can be found in code/lib/cli-storybook/src/sandbox-templates.ts

• Make sure this PR contains one of the labels below:

  Available labels

  • bug: Internal changes that fixes incorrect behavior.
  • maintenance: User-facing maintenance tasks.
  • dependencies: Upgrading (sometimes downgrading) dependencies.
  • build: Internal-facing build tooling & test updates. Will not show up in release changelog.
  • cleanup: Minor cleanup style change. Will not show up in release changelog.
  • documentation: Documentation only changes. Will not show up in release changelog.
  • feature request: Introducing a new feature.
  • BREAKING CHANGE: Changes that break compatibility in some way with current major version.
  • other: Changes that don't fit in the above categories.

🦋 Canary release

This PR does not have a canary release associated. You can request a canary release of this pull request by mentioning the @storybookjs/core team here.

core team members can create a canary release here or locally with gh workflow run --repo storybookjs/storybook canary-release-pr.yml --field pr=<PR_NUMBER>

Greptile Summary

This PR enhances Vite server security in Storybook by implementing stricter host access controls while maintaining flexibility for custom configurations.

• Modified code/builders/builder-vite/src/vite-server.ts to restrict access to localhost by default, following Vite's secure practices
• Added support for IP-based host access through conditional allowedHosts configuration
• Implemented clear error messaging in both console and iframe for unauthorized host access
• Added ability to override host restrictions via --host CLI flag or viteFinal config
• Fixed host validation logic when using IP addresses as server hosts

The changes improve security while maintaining backward compatibility and providing clear paths for customization when needed.

_{💡 (3/5) Reply to the bot's comments like "Can you suggest a fix for this @greptileai?" or ask follow-up questions!}

[greptile-apps]

_{1 file(s) reviewed, 1 comment(s)
Edit PR Review Bot Settings | Greptile}

[greptile-apps]

style: Check for undefined/null specifically rather than falsy values to avoid overriding empty arrays

[JSMike]

Empty array should likely be overridden if options.host is set.

[JSMike]

@JReinhold @valentinpalkovic https://github.com/storybookjs/storybook/pull/30523/files#r2079670800

Thanks for the explanation @JSMike. ❤️

Could you open a PR adding the required logic back, with an explanation of which problem it solves? Sounds like you know a lot about this problem already.

[greptile-apps]

_{1 file(s) reviewed, 1 comment(s)
Edit PR Review Bot Settings | Greptile}

[greptile-apps]

style: Consider adding a warning log when allowing all hosts, as this reduces security

[JSMike]

A warning here would be appropriate, let me know what you'd like the warning message to be.

Or, if you'd prefer to not set allowedHosts to true then this would be a good place to add a warning to inform users that only the direct IP address and localhost will be allowed and that other hostnames will be rejected unless an allowedHosts array is added to the viteFinal.

[nx-cloud]

View your CI Pipeline Execution ↗ for commit e0104b5.

Command	Status	Duration	Result
nx run-many -t build --parallel=3	✅ Succeeded	1m 26s	View ↗

---

☁️ Nx Cloud last updated this comment at 2025-05-30 02:06:35 UTC