[miniflare] Fix /cdn-cgi/* host validation incorrectly accepting subdomains of exact configured routes

[petebacondarwin]

Miniflare's /cdn-cgi/* host/origin validator was treating exact configured routes the same as wildcard configured routes. A request whose Host or Origin hostname was a subdomain of an exact configured route (e.g. sub.my-custom-site.com for a my-custom-site.com/* route) was therefore incorrectly accepted on /cdn-cgi/* endpoints, including the local explorer API. The same applied to the configured upstream hostname.

The validator in packages/miniflare/src/workers/core/entry.worker.ts now keeps exact and wildcard hosts in separate buckets. Exact configured routes and the configured upstream hostname must match the request hostname exactly. Subdomain matching is only applied to wildcard routes such as *.example.com/*. Localhost hostnames continue to be allowed as before.

This also covers wrangler dev and local development through @cloudflare/vite-plugin, both of which use Miniflare under the hood.

---

• Tests
  • Tests included/updated
  • Automated tests not possible - manual testing has been completed as follows:
  • Additional testing not necessary because:
• Public documentation
  • Cloudflare docs PR(s):
  • Documentation not necessary because: this is an internal change to /cdn-cgi/* host validation in Miniflare; there is no public API or user-facing configuration change.

---

[changeset-bot]

🦋 Changeset detected

Latest commit: 13d3ccc

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 5 packages

Name	Type
miniflare	Patch
wrangler	Patch
@cloudflare/vite-plugin	Patch
@cloudflare/pages-shared	Patch
@cloudflare/vitest-pool-workers	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[workers-devprod]

Codeowners approval required for this PR:

• @cloudflare/wrangler

Show detailed file reviewers

• .changeset/fix-cdn-cgi-host-validation.md: [@cloudflare/wrangler]
• packages/miniflare/src/workers/core/entry.worker.ts: [@cloudflare/wrangler]
• packages/miniflare/test/plugins/local-explorer/index.spec.ts: [@cloudflare/wrangler]

[ask-bonk]

I've now thoroughly reviewed the PR. Let me verify my understanding of the logic:

1. Before this PR: All configured route hostnames (both exact like my-custom-site.com/* and wildcard like *.example.com/*) were put into a single allowedHostnames set. The isHostnameAllowed function then did subdomain matching (endsWith) against all of them. This meant sub.my-custom-site.com would be incorrectly accepted for an exact route my-custom-site.com/*.

2. After this PR: Routes are split into exactHostnames and wildcardHostnames. Exact routes require exact match via Set.has(). Only wildcard routes allow subdomain matching via endsWith. The upstream hostname is also treated as exact-only.

The logic is correct. The allowHostnamePrefix flag from parseRoutes is the right discriminator — it's true only for routes starting with * (like *.example.com/*). The hostname field has the leading * stripped (leaving .example.com), and the code correctly strips the leading . before adding to the set.

The wildcard matching in isHostnameAllowed checks both hostname === allowed (base domain match) and hostname.endsWith(.${allowed}) (subdomain match with dot boundary), which correctly prevents notexample.com from matching example.com.

Tests are comprehensive: they cover exact route subdomain blocking, look-alike hostname blocking, wildcard deep subdomain allowing, wildcard look-alike sibling blocking, and upstream hostname exact/subdomain validation.

The changeset is properly formatted and scoped. The code is clean and well-commented.

LGTM

github run

[github-actions]

Changeset Review

✅ All changesets look good

.changeset/fix-cdn-cgi-host-validation.md

• Version Type: Patch is correct — this is a bug fix for incorrect host validation.
• Changelog Quality: Clear and descriptive. Explains the bug (exact routes treated as wildcards), the symptom (subdomains incorrectly accepted), the fix (exact matching for exact routes, wildcard matching only for wildcard routes), and the user impact (affects wrangler dev and @cloudflare/vite-plugin).
• Markdown Headers: None present.
• Analytics: Not applicable.
• Dependabot: Not applicable.
• Experimental Features: Not applicable.

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 2 additional findings.

[pkg-pr-new]

create-cloudflare

npm i https://pkg.pr.new/create-cloudflare@13912

@cloudflare/kv-asset-handler

npm i https://pkg.pr.new/@cloudflare/kv-asset-handler@13912

miniflare

npm i https://pkg.pr.new/miniflare@13912

@cloudflare/pages-shared

npm i https://pkg.pr.new/@cloudflare/pages-shared@13912

@cloudflare/unenv-preset

npm i https://pkg.pr.new/@cloudflare/unenv-preset@13912

@cloudflare/vite-plugin

npm i https://pkg.pr.new/@cloudflare/vite-plugin@13912

@cloudflare/vitest-pool-workers

npm i https://pkg.pr.new/@cloudflare/vitest-pool-workers@13912

@cloudflare/workers-editor-shared

npm i https://pkg.pr.new/@cloudflare/workers-editor-shared@13912

@cloudflare/workers-utils

npm i https://pkg.pr.new/@cloudflare/workers-utils@13912

wrangler

npm i https://pkg.pr.new/wrangler@13912

commit: 13d3ccc