Webpack 4 Hot Reload: Invalid Host/Origin header

This issue is probably caused by this webpack-dev-server issue that has been fixed recently.

To avoid getting the Invalid Host/Origin header error add this to your devServer entry:

disableHostCheck: true

Is your page hosted at a different domain than your webpack files are being served from? If so, you might just need to add the page's domain to the devServer.allowedHosts option.


Set allowedHosts, https://webpack.js.org/configuration/dev-server/#devserverallowedhosts. For example, if your web page is xyz.google.com, then just add a host .google.com to it.


If this is on Firefox, you can fix it by setting network.http.sendOriginHeader to 1 in about:config.

This "Invalid Host/Origin header" error occurs on Firefox because Firefox still does not sent Origin header with same-origin POST requests, and webpack-dev-server insists on having it.

(Really, webpack-dev-server should only check the Origin header when it's present.)

Avoid disableHostCheck! It's dangerous even in your local dev environment! It allows attackers to connect to your dev environment when you visit an unrelated site with malicious code. It seems really bad.