vinext 0.0.52 → 0.0.54

package/dist/server/prerender-route-params.js

@@ -0,0 +1,94 @@
+import { VINEXT_PRERENDER_ROUTE_PARAMS_HEADER, VINEXT_PRERENDER_SECRET_HEADER } from "./headers.js";
+import { isUnknownRecord } from "../utils/record.js";
+//#region src/server/prerender-route-params.ts
+function isPrerenderRouteParams(value) {
+	if (!isUnknownRecord(value)) return false;
+	for (const [, param] of Object.entries(value)) {
+		if (typeof param === "string") continue;
+		if (Array.isArray(param) && param.every((item) => typeof item === "string")) continue;
+		return false;
+	}
+	return true;
+}
+function isPrerenderRouteParamsPayload(value) {
+	if (!isUnknownRecord(value)) return false;
+	if (Object.keys(value).length !== 2) return false;
+	return typeof value.routePattern === "string" && value.routePattern.startsWith("/") && isPrerenderRouteParams(value.params);
+}
+function serializePrerenderRouteParamsHeader(payload) {
+	if (payload === null || Object.keys(payload.params).length === 0) return null;
+	return encodeURIComponent(JSON.stringify(payload));
+}
+function parsePrerenderRouteParamsHeader(value) {
+	if (value === null || value === "") return null;
+	try {
+		const parsed = JSON.parse(decodeURIComponent(value));
+		return isPrerenderRouteParamsPayload(parsed) ? parsed : null;
+	} catch {
+		return null;
+	}
+}
+function readTrustedPrerenderRouteParamsFromHeaders(headers, expectedSecret) {
+	if (process.env.VINEXT_PRERENDER !== "1") return null;
+	const secret = headers.get(VINEXT_PRERENDER_SECRET_HEADER);
+	if (secret === null) return null;
+	if (expectedSecret !== void 0 && secret !== expectedSecret) return null;
+	const header = headers.get(VINEXT_PRERENDER_ROUTE_PARAMS_HEADER);
+	if (header === null) return null;
+	const params = parsePrerenderRouteParamsHeader(header);
+	if (params === null) throw new Error("[vinext] Invalid internal prerender route params header.");
+	return params;
+}
+function readTrustedPrerenderRouteParams(request) {
+	return readTrustedPrerenderRouteParamsFromHeaders(request.headers);
+}
+function decodePrerenderRouteParam(value) {
+	try {
+		return decodeURIComponent(value);
+	} catch {
+		return null;
+	}
+}
+function decodedPrerenderRouteParamEquals(prerenderValue, matchedValue) {
+	if (Array.isArray(prerenderValue) || Array.isArray(matchedValue)) {
+		if (!Array.isArray(prerenderValue) || !Array.isArray(matchedValue)) return false;
+		if (prerenderValue.length !== matchedValue.length) return false;
+		return prerenderValue.every((item, index) => {
+			const decoded = decodePrerenderRouteParam(item);
+			return decoded !== null && decoded === matchedValue[index];
+		});
+	}
+	const decoded = decodePrerenderRouteParam(prerenderValue);
+	return decoded !== null && decoded === matchedValue;
+}
+function prerenderRouteParamsPayloadMatchesRoute(payload, routePattern, params) {
+	if (payload === null) return false;
+	if (payload.routePattern !== routePattern) return false;
+	if (Object.keys(payload.params).length !== Object.keys(params).length) return false;
+	for (const [key, prerenderValue] of Object.entries(payload.params)) {
+		const matchedValue = params[key];
+		if (matchedValue === void 0) return false;
+		if (!decodedPrerenderRouteParamEquals(prerenderValue, matchedValue)) return false;
+	}
+	return true;
+}
+function encodePrerenderRouteParams(pattern, params) {
+	const encoded = {};
+	for (const part of pattern.split("/").filter(Boolean)) {
+		let paramName = null;
+		if (part.startsWith(":") && (part.endsWith("+") || part.endsWith("*"))) paramName = part.slice(1, -1);
+		else if (part.startsWith(":")) paramName = part.slice(1);
+		if (paramName === null) continue;
+		const value = params[paramName];
+		if (Array.isArray(value)) encoded[paramName] = value.map((item) => encodeURIComponent(item));
+		else if (typeof value === "string") encoded[paramName] = encodeURIComponent(value);
+	}
+	return Object.keys(encoded).length > 0 ? {
+		routePattern: pattern,
+		params: encoded
+	} : null;
+}
+//#endregion
+export { encodePrerenderRouteParams, prerenderRouteParamsPayloadMatchesRoute, readTrustedPrerenderRouteParams, readTrustedPrerenderRouteParamsFromHeaders, serializePrerenderRouteParamsHeader };
+
+//# sourceMappingURL=prerender-route-params.js.map

package/dist/server/prerender-route-params.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"prerender-route-params.js","names":[],"sources":["../../src/server/prerender-route-params.ts"],"sourcesContent":["import { VINEXT_PRERENDER_ROUTE_PARAMS_HEADER, VINEXT_PRERENDER_SECRET_HEADER } from \"./headers.js\";\nimport { isUnknownRecord } from \"../utils/record.js\";\n\nexport type PrerenderRouteParams = Record<string, string | string[]>;\n\nexport type PrerenderRouteParamsPayload = {\n  params: PrerenderRouteParams;\n  routePattern: string;\n};\n\nfunction isPrerenderRouteParams(value: unknown): value is PrerenderRouteParams {\n  if (!isUnknownRecord(value)) return false;\n\n  for (const [, param] of Object.entries(value)) {\n    if (typeof param === \"string\") continue;\n    if (Array.isArray(param) && param.every((item) => typeof item === \"string\")) continue;\n    return false;\n  }\n\n  return true;\n}\n\nfunction isPrerenderRouteParamsPayload(value: unknown): value is PrerenderRouteParamsPayload {\n  if (!isUnknownRecord(value)) return false;\n  if (Object.keys(value).length !== 2) return false;\n  return (\n    typeof value.routePattern === \"string\" &&\n    value.routePattern.startsWith(\"/\") &&\n    isPrerenderRouteParams(value.params)\n  );\n}\n\n// A payload with no dynamic params serializes to `null`, which is\n// indistinguishable from an absent header on the read side. This is intentional:\n// the only producer, `encodePrerenderRouteParams`, already returns `null` for\n// param-less patterns, so an empty-params payload never carries information worth\n// propagating. Routes with no dynamic segments need no encoded-render override.\nexport function serializePrerenderRouteParamsHeader(\n  payload: PrerenderRouteParamsPayload | null,\n): string | null {\n  if (payload === null || Object.keys(payload.params).length === 0) return null;\n  return encodeURIComponent(JSON.stringify(payload));\n}\n\nfunction parsePrerenderRouteParamsHeader(value: string | null): PrerenderRouteParamsPayload | null {\n  if (value === null || value === \"\") return null;\n\n  try {\n    const parsed: unknown = JSON.parse(decodeURIComponent(value));\n    return isPrerenderRouteParamsPayload(parsed) ? parsed : null;\n  } catch {\n    return null;\n  }\n}\n\nexport function readTrustedPrerenderRouteParamsFromHeaders(\n  headers: Headers,\n  expectedSecret?: string,\n): PrerenderRouteParamsPayload | null {\n  if (process.env.VINEXT_PRERENDER !== \"1\") return null;\n  const secret = headers.get(VINEXT_PRERENDER_SECRET_HEADER);\n  if (secret === null) return null;\n  if (expectedSecret !== undefined && secret !== expectedSecret) return null;\n  const header = headers.get(VINEXT_PRERENDER_ROUTE_PARAMS_HEADER);\n  if (header === null) return null;\n  const params = parsePrerenderRouteParamsHeader(header);\n  if (params === null) {\n    throw new Error(\"[vinext] Invalid internal prerender route params header.\");\n  }\n  return params;\n}\n\n// Convenience wrapper for reads that happen AFTER the prerender secret has\n// already been verified at the trust boundary. The only entry point that\n// receives raw external input, `prod-server`'s `nodeToWebRequest`, calls\n// `readTrustedPrerenderRouteParamsFromHeaders` WITH `expectedSecret` and\n// re-serializes the validated payload onto a clean header. Every downstream\n// reader (the App Router handler) therefore operates on an already-trusted\n// request and deliberately omits `expectedSecret`. The `VINEXT_PRERENDER=1`\n// gate still ensures this never activates outside the build-time prerender\n// phase. Do not call this on unverified external input.\nexport function readTrustedPrerenderRouteParams(\n  request: Request,\n): PrerenderRouteParamsPayload | null {\n  return readTrustedPrerenderRouteParamsFromHeaders(request.headers);\n}\n\nfunction decodePrerenderRouteParam(value: string): string | null {\n  try {\n    return decodeURIComponent(value);\n  } catch {\n    return null;\n  }\n}\n\nfunction decodedPrerenderRouteParamEquals(\n  prerenderValue: string | string[],\n  matchedValue: string | string[],\n): boolean {\n  if (Array.isArray(prerenderValue) || Array.isArray(matchedValue)) {\n    if (!Array.isArray(prerenderValue) || !Array.isArray(matchedValue)) return false;\n    if (prerenderValue.length !== matchedValue.length) return false;\n\n    return prerenderValue.every((item, index) => {\n      const decoded = decodePrerenderRouteParam(item);\n      return decoded !== null && decoded === matchedValue[index];\n    });\n  }\n\n  const decoded = decodePrerenderRouteParam(prerenderValue);\n  return decoded !== null && decoded === matchedValue;\n}\n\nexport function prerenderRouteParamsPayloadMatchesRoute(\n  payload: PrerenderRouteParamsPayload | null,\n  routePattern: string,\n  params: PrerenderRouteParams,\n): payload is PrerenderRouteParamsPayload {\n  if (payload === null) return false;\n  if (payload.routePattern !== routePattern) return false;\n\n  const prerenderParamKeys = Object.keys(payload.params);\n  if (prerenderParamKeys.length !== Object.keys(params).length) return false;\n\n  for (const [key, prerenderValue] of Object.entries(payload.params)) {\n    const matchedValue = params[key];\n    if (matchedValue === undefined) return false;\n    if (!decodedPrerenderRouteParamEquals(prerenderValue, matchedValue)) return false;\n  }\n\n  return true;\n}\n\nexport function encodePrerenderRouteParams(\n  pattern: string,\n  params: PrerenderRouteParams,\n): PrerenderRouteParamsPayload | null {\n  const encoded: PrerenderRouteParams = {};\n\n  for (const part of pattern.split(\"/\").filter(Boolean)) {\n    let paramName: string | null = null;\n    if (part.startsWith(\":\") && (part.endsWith(\"+\") || part.endsWith(\"*\"))) {\n      paramName = part.slice(1, -1);\n    } else if (part.startsWith(\":\")) {\n      paramName = part.slice(1);\n    }\n\n    if (paramName === null) continue;\n    const value = params[paramName];\n    if (Array.isArray(value)) {\n      encoded[paramName] = value.map((item) => encodeURIComponent(item));\n    } else if (typeof value === \"string\") {\n      encoded[paramName] = encodeURIComponent(value);\n    }\n  }\n\n  return Object.keys(encoded).length > 0 ? { routePattern: pattern, params: encoded } : null;\n}\n"],"mappings":";;;AAUA,SAAS,uBAAuB,OAA+C;CAC7E,IAAI,CAAC,gBAAgB,MAAM,EAAE,OAAO;CAEpC,KAAK,MAAM,GAAG,UAAU,OAAO,QAAQ,MAAM,EAAE;EAC7C,IAAI,OAAO,UAAU,UAAU;EAC/B,IAAI,MAAM,QAAQ,MAAM,IAAI,MAAM,OAAO,SAAS,OAAO,SAAS,SAAS,EAAE;EAC7E,OAAO;;CAGT,OAAO;;AAGT,SAAS,8BAA8B,OAAsD;CAC3F,IAAI,CAAC,gBAAgB,MAAM,EAAE,OAAO;CACpC,IAAI,OAAO,KAAK,MAAM,CAAC,WAAW,GAAG,OAAO;CAC5C,OACE,OAAO,MAAM,iBAAiB,YAC9B,MAAM,aAAa,WAAW,IAAI,IAClC,uBAAuB,MAAM,OAAO;;AASxC,SAAgB,oCACd,SACe;CACf,IAAI,YAAY,QAAQ,OAAO,KAAK,QAAQ,OAAO,CAAC,WAAW,GAAG,OAAO;CACzE,OAAO,mBAAmB,KAAK,UAAU,QAAQ,CAAC;;AAGpD,SAAS,gCAAgC,OAA0D;CACjG,IAAI,UAAU,QAAQ,UAAU,IAAI,OAAO;CAE3C,IAAI;EACF,MAAM,SAAkB,KAAK,MAAM,mBAAmB,MAAM,CAAC;EAC7D,OAAO,8BAA8B,OAAO,GAAG,SAAS;SAClD;EACN,OAAO;;;AAIX,SAAgB,2CACd,SACA,gBACoC;CACpC,IAAI,QAAQ,IAAI,qBAAqB,KAAK,OAAO;CACjD,MAAM,SAAS,QAAQ,IAAI,+BAA+B;CAC1D,IAAI,WAAW,MAAM,OAAO;CAC5B,IAAI,mBAAmB,KAAA,KAAa,WAAW,gBAAgB,OAAO;CACtE,MAAM,SAAS,QAAQ,IAAI,qCAAqC;CAChE,IAAI,WAAW,MAAM,OAAO;CAC5B,MAAM,SAAS,gCAAgC,OAAO;CACtD,IAAI,WAAW,MACb,MAAM,IAAI,MAAM,2DAA2D;CAE7E,OAAO;;AAYT,SAAgB,gCACd,SACoC;CACpC,OAAO,2CAA2C,QAAQ,QAAQ;;AAGpE,SAAS,0BAA0B,OAA8B;CAC/D,IAAI;EACF,OAAO,mBAAmB,MAAM;SAC1B;EACN,OAAO;;;AAIX,SAAS,iCACP,gBACA,cACS;CACT,IAAI,MAAM,QAAQ,eAAe,IAAI,MAAM,QAAQ,aAAa,EAAE;EAChE,IAAI,CAAC,MAAM,QAAQ,eAAe,IAAI,CAAC,MAAM,QAAQ,aAAa,EAAE,OAAO;EAC3E,IAAI,eAAe,WAAW,aAAa,QAAQ,OAAO;EAE1D,OAAO,eAAe,OAAO,MAAM,UAAU;GAC3C,MAAM,UAAU,0BAA0B,KAAK;GAC/C,OAAO,YAAY,QAAQ,YAAY,aAAa;IACpD;;CAGJ,MAAM,UAAU,0BAA0B,eAAe;CACzD,OAAO,YAAY,QAAQ,YAAY;;AAGzC,SAAgB,wCACd,SACA,cACA,QACwC;CACxC,IAAI,YAAY,MAAM,OAAO;CAC7B,IAAI,QAAQ,iBAAiB,cAAc,OAAO;CAGlD,IAD2B,OAAO,KAAK,QAAQ,OACzB,CAAC,WAAW,OAAO,KAAK,OAAO,CAAC,QAAQ,OAAO;CAErE,KAAK,MAAM,CAAC,KAAK,mBAAmB,OAAO,QAAQ,QAAQ,OAAO,EAAE;EAClE,MAAM,eAAe,OAAO;EAC5B,IAAI,iBAAiB,KAAA,GAAW,OAAO;EACvC,IAAI,CAAC,iCAAiC,gBAAgB,aAAa,EAAE,OAAO;;CAG9E,OAAO;;AAGT,SAAgB,2BACd,SACA,QACoC;CACpC,MAAM,UAAgC,EAAE;CAExC,KAAK,MAAM,QAAQ,QAAQ,MAAM,IAAI,CAAC,OAAO,QAAQ,EAAE;EACrD,IAAI,YAA2B;EAC/B,IAAI,KAAK,WAAW,IAAI,KAAK,KAAK,SAAS,IAAI,IAAI,KAAK,SAAS,IAAI,GACnE,YAAY,KAAK,MAAM,GAAG,GAAG;OACxB,IAAI,KAAK,WAAW,IAAI,EAC7B,YAAY,KAAK,MAAM,EAAE;EAG3B,IAAI,cAAc,MAAM;EACxB,MAAM,QAAQ,OAAO;EACrB,IAAI,MAAM,QAAQ,MAAM,EACtB,QAAQ,aAAa,MAAM,KAAK,SAAS,mBAAmB,KAAK,CAAC;OAC7D,IAAI,OAAO,UAAU,UAC1B,QAAQ,aAAa,mBAAmB,MAAM;;CAIlD,OAAO,OAAO,KAAK,QAAQ,CAAC,SAAS,IAAI;EAAE,cAAc;EAAS,QAAQ;EAAS,GAAG"}

package/dist/server/prod-server.d.ts

@@ -1,4 +1,5 @@
 import { StaticFileCache } from "./static-file-cache.js";
+import { resolveRequestHost, trustProxy, trustedHosts } from "./proxy-trust.js";
 import * as _$node_http0 from "node:http";
 import { IncomingMessage, ServerResponse } from "node:http";
 
@@ -50,27 +51,6 @@ declare function sendCompressed(req: IncomingMessage, res: ServerResponse, body:
  * unlike the old sync existsSync/statSync approach).
  */
 declare function tryServeStatic(req: IncomingMessage, res: ServerResponse, clientDir: string, pathname: string, compress: boolean, cache?: StaticFileCache, extraHeaders?: Record<string, string | string[]>, statusCode?: number): Promise<boolean>;
-/**
- * Resolve the host for a request, ignoring X-Forwarded-Host to prevent
- * host header poisoning attacks (open redirects, cache poisoning).
- *
- * X-Forwarded-Host is only trusted when the VINEXT_TRUSTED_HOSTS env var
- * lists the forwarded host value. Without this, an attacker can send
- * X-Forwarded-Host: evil.com and poison any redirect that resolves
- * against request.url.
- *
- * On Cloudflare Workers, X-Forwarded-Host is always set by Cloudflare
- * itself, so this is only a concern for the Node.js prod-server.
- */
-declare function resolveHost(req: IncomingMessage, fallback: string): string;
-/** Hosts that are allowed as X-Forwarded-Host values (stored lowercase). */
-declare const trustedHosts: Set<string>;
-/**
- * Whether to trust X-Forwarded-Proto from upstream proxies.
- * Enabled when VINEXT_TRUST_PROXY=1 or when VINEXT_TRUSTED_HOSTS is set
- * (having trusted hosts implies a trusted proxy).
- */
-declare const trustProxy: boolean;
 /**
  * Convert a Node.js IncomingMessage to a Web Request object.
  *
@@ -80,7 +60,7 @@ declare const trustProxy: boolean;
  * Router prod server normalizes before static-asset lookup, and can pass
  * the result here so the downstream RSC handler doesn't re-normalize).
  */
-declare function nodeToWebRequest(req: IncomingMessage, urlOverride?: string): Request;
+declare function nodeToWebRequest(req: IncomingMessage, urlOverride?: string, prerenderSecret?: string): Request;
 /**
  * Stream a Web Response back to a Node.js ServerResponse.
  * Supports streaming compression for SSR responses.
@@ -122,5 +102,5 @@ declare function resolveAppRouterPrerenderSeeder(entryModule: unknown): AppRoute
  */
 declare function resolveAppRouterAssetPath(pathname: string, assetPathPrefix: string, assetPrefix: string): string | null;
 //#endregion
-export { COMPRESSIBLE_TYPES, COMPRESS_THRESHOLD, ProdServerOptions, mergeResponseHeaders, mergeWebResponse, negotiateEncoding, nodeToWebRequest, resolveAppRouterAssetPath, resolveAppRouterPrerenderSeeder, resolveHost, sendCompressed, sendWebResponse, startProdServer, trustProxy, trustedHosts, tryServeStatic };
+export { COMPRESSIBLE_TYPES, COMPRESS_THRESHOLD, ProdServerOptions, mergeResponseHeaders, mergeWebResponse, negotiateEncoding, nodeToWebRequest, resolveAppRouterAssetPath, resolveAppRouterPrerenderSeeder, resolveRequestHost as resolveHost, sendCompressed, sendWebResponse, startProdServer, trustProxy, trustedHosts, tryServeStatic };
 //# sourceMappingURL=prod-server.d.ts.map

package/dist/server/prod-server.js

@@ -1,18 +1,21 @@
 import { normalizePathnameForRouteMatchStrict } from "../routing/utils.js";
 import { hasBasePath, stripBasePath } from "../utils/base-path.js";
-import { VINEXT_PRERENDER_SECRET_HEADER, VINEXT_STATIC_FILE_HEADER } from "./headers.js";
+import { VINEXT_PRERENDER_ROUTE_PARAMS_HEADER, VINEXT_PRERENDER_SECRET_HEADER, VINEXT_STATIC_FILE_HEADER } from "./headers.js";
 import { normalizePath } from "./normalize-path.js";
 import { applyMiddlewareRequestHeaders, isExternalUrl, matchRedirect, matchRewrite, proxyExternalRequest, requestContextFromRequest, sanitizeDestination } from "../config/config-matchers.js";
 import { notFoundResponse } from "./http-error-responses.js";
 import { applyConfigHeadersToHeaderRecord, filterInternalHeaders, isOpenRedirectShaped, normalizeTrailingSlash } from "./request-pipeline.js";
 import { mergeRewriteQuery } from "../utils/query.js";
 import { normalizeDefaultLocalePathname, stripI18nLocaleForApiRoute } from "./pages-i18n.js";
+import { resolveRequestHost, resolveRequestProtocol, trustProxy, trustedHosts } from "./proxy-trust.js";
+import { DEFAULT_DEVICE_SIZES, DEFAULT_IMAGE_SIZES, isImageOptimizationPath, isSafeImageContentType, parseImageParams } from "./image-optimization.js";
 import { installSocketErrorBackstop } from "./socket-error-backstop.js";
 import { ASSET_PREFIX_URL_DIR, assetPrefixPathname, isAbsoluteAssetPrefix } from "../utils/asset-prefix.js";
 import { CONTENT_TYPES, StaticFileCache, etagFromFilenameHash } from "./static-file-cache.js";
 import { buildNextDataNotFoundResponse, isNextDataPathname, parseNextDataPathname } from "./pages-data-route.js";
+import { collectInlineCssManifest } from "../build/inline-css.js";
 import { manifestFileWithBase } from "../utils/manifest-paths.js";
-import { DEFAULT_DEVICE_SIZES, DEFAULT_IMAGE_SIZES, isSafeImageContentType, parseImageParams } from "./image-optimization.js";
+import { readTrustedPrerenderRouteParamsFromHeaders, serializePrerenderRouteParamsHeader } from "./prerender-route-params.js";
 import { computeLazyChunks } from "../utils/lazy-chunks.js";
 import { readPrerenderSecret } from "../build/server-manifest.js";
 import { seedMemoryCacheFromPrerender } from "./seed-cache.js";
@@ -132,8 +135,20 @@ function mergeResponseHeaders(middlewareHeaders, response) {
 }
 function toWebHeaders(headersRecord) {
 	const headers = new Headers();
-	for (const [key, value] of Object.entries(headersRecord)) if (Array.isArray(value)) for (const item of value) headers.append(key, item);
-	else headers.set(key, value);
+	for (const [key, value] of Object.entries(headersRecord)) appendWebHeader(headers, key, value);
+	return headers;
+}
+function appendWebHeader(headers, key, value) {
+	if (value === void 0) return;
+	if (Array.isArray(value)) {
+		for (const item of value) headers.append(key, item);
+		return;
+	}
+	headers.set(key, value);
+}
+function nodeHeadersToWebHeaders(headersRecord) {
+	const headers = new Headers();
+	for (const [key, value] of Object.entries(headersRecord)) appendWebHeader(headers, key, value);
 	return headers;
 }
 const NO_BODY_RESPONSE_STATUSES = new Set([
@@ -428,35 +443,6 @@ async function statIfFile(filePath) {
 	}
 }
 /**
-* Resolve the host for a request, ignoring X-Forwarded-Host to prevent
-* host header poisoning attacks (open redirects, cache poisoning).
-*
-* X-Forwarded-Host is only trusted when the VINEXT_TRUSTED_HOSTS env var
-* lists the forwarded host value. Without this, an attacker can send
-* X-Forwarded-Host: evil.com and poison any redirect that resolves
-* against request.url.
-*
-* On Cloudflare Workers, X-Forwarded-Host is always set by Cloudflare
-* itself, so this is only a concern for the Node.js prod-server.
-*/
-function resolveHost(req, fallback) {
-	const rawForwarded = req.headers["x-forwarded-host"];
-	const hostHeader = req.headers.host;
-	if (rawForwarded) {
-		const forwardedHost = rawForwarded.split(",")[0].trim().toLowerCase();
-		if (forwardedHost && trustedHosts.has(forwardedHost)) return forwardedHost;
-	}
-	return hostHeader || fallback;
-}
-/** Hosts that are allowed as X-Forwarded-Host values (stored lowercase). */
-const trustedHosts = new Set((process.env.VINEXT_TRUSTED_HOSTS ?? "").split(",").map((h) => h.trim().toLowerCase()).filter(Boolean));
-/**
-* Whether to trust X-Forwarded-Proto from upstream proxies.
-* Enabled when VINEXT_TRUST_PROXY=1 or when VINEXT_TRUSTED_HOSTS is set
-* (having trusted hosts implies a trusted proxy).
-*/
-const trustProxy = process.env.VINEXT_TRUST_PROXY === "1" || trustedHosts.size > 0;
-/**
 * Convert a Node.js IncomingMessage to a Web Request object.
 *
 * When `urlOverride` is provided, it is used as the path + query string
@@ -465,17 +451,14 @@ const trustProxy = process.env.VINEXT_TRUST_PROXY === "1" || trustedHosts.size >
 * Router prod server normalizes before static-asset lookup, and can pass
 * the result here so the downstream RSC handler doesn't re-normalize).
 */
-function nodeToWebRequest(req, urlOverride) {
-	const rawProto = trustProxy ? req.headers["x-forwarded-proto"]?.split(",")[0]?.trim() : void 0;
-	const origin = `${rawProto === "https" || rawProto === "http" ? rawProto : "http"}://${resolveHost(req, "localhost")}`;
+function nodeToWebRequest(req, urlOverride, prerenderSecret) {
+	const origin = `${resolveRequestProtocol(req)}://${resolveRequestHost(req, "localhost")}`;
 	const url = new URL(urlOverride ?? req.url ?? "/", origin);
-	const rawHeaders = new Headers();
-	for (const [key, value] of Object.entries(req.headers)) {
-		if (value === void 0) continue;
-		if (Array.isArray(value)) for (const v of value) rawHeaders.append(key, v);
-		else rawHeaders.set(key, value);
-	}
+	const rawHeaders = nodeHeadersToWebHeaders(req.headers);
+	const prerenderRouteParamsPayload = readTrustedPrerenderRouteParamsFromHeaders(rawHeaders, prerenderSecret);
 	const headers = filterInternalHeaders(rawHeaders);
+	const prerenderRouteParamsHeader = serializePrerenderRouteParamsHeader(prerenderRouteParamsPayload);
+	if (prerenderRouteParamsHeader !== null) headers.set(VINEXT_PRERENDER_ROUTE_PARAMS_HEADER, prerenderRouteParamsHeader);
 	const method = req.method ?? "GET";
 	const hasBody = method !== "GET" && method !== "HEAD";
 	const init = {
@@ -669,6 +652,8 @@ async function startAppRouterServer(options) {
 	const rscModule = await import(`${pathToFileURL(rscEntryPath).href}?t=${rscMtime}`);
 	const rscHandler = resolveAppRouterHandler(rscModule.default);
 	const appRouterAssetPrefix = typeof rscModule.__assetPrefix === "string" ? rscModule.__assetPrefix : "";
+	const appRouterInlineCss = rscModule.__inlineCss === true;
+	globalThis.__VINEXT_INLINE_CSS__ = appRouterInlineCss ? collectInlineCssManifest(clientDir, appRouterAssetPrefix) : void 0;
 	const appAssetPathPrefix = assetPrefixPathname(appRouterAssetPrefix);
 	const seededRoutes = await resolveAppRouterPrerenderSeeder(rscModule)(path.dirname(rscEntryPath));
 	if (seededRoutes > 0) console.log(`[vinext] Seeded ${seededRoutes} pre-rendered route${seededRoutes !== 1 ? "s" : ""} into memory cache`);
@@ -707,7 +692,7 @@ async function startAppRouterServer(options) {
 				return;
 			}
 		}
-		if (pathname === "/_vinext/image") {
+		if (isImageOptimizationPath(pathname)) {
 			const params = parseImageParams(new URL(rawUrl, "http://localhost"), [...DEFAULT_DEVICE_SIZES, ...DEFAULT_IMAGE_SIZES]);
 			if (!params) {
 				res.writeHead(400);
@@ -731,7 +716,7 @@ async function startAppRouterServer(options) {
 		}
 		try {
 			const qs = rawUrl.includes("?") ? rawUrl.slice(rawUrl.indexOf("?")) : "";
-			const response = await rscHandler(nodeToWebRequest(req, pathname + qs));
+			const response = await rscHandler(nodeToWebRequest(req, pathname + qs, prerenderSecret));
 			const staticFileSignal = response.headers.get(VINEXT_STATIC_FILE_HEADER);
 			if (staticFileSignal) {
 				let staticFilePath = "/";
@@ -892,7 +877,7 @@ async function startPagesRouterServer(options) {
 			res.end("Not Found");
 			return;
 		}
-		if (pathname === "/_vinext/image" || staticLookupPath === "/_vinext/image") {
+		if (isImageOptimizationPath(pathname) || isImageOptimizationPath(staticLookupPath)) {
 			const params = parseImageParams(new URL(rawUrl, "http://localhost"), allowedImageWidths);
 			if (!params) {
 				res.writeHead(400);
@@ -949,13 +934,9 @@ async function startPagesRouterServer(options) {
 				url = dataMatch.pagePathname + qs;
 				pathname = dataMatch.pagePathname;
 			}
-			const rawProtocol = trustProxy ? req.headers["x-forwarded-proto"]?.split(",")[0]?.trim() : void 0;
-			const protocol = rawProtocol === "https" || rawProtocol === "http" ? rawProtocol : "http";
-			const hostHeader = resolveHost(req, `${host}:${port}`);
-			const rawReqHeaders = Object.entries(req.headers).reduce((h, [k, v]) => {
-				if (v) h.set(k, Array.isArray(v) ? v.join(", ") : v);
-				return h;
-			}, new Headers());
+			const protocol = resolveRequestProtocol(req);
+			const hostHeader = resolveRequestHost(req, `${host}:${port}`);
+			const rawReqHeaders = nodeHeadersToWebHeaders(req.headers);
 			const isDataRequest = rawReqHeaders.get("x-nextjs-data") === "1";
 			const reqHeaders = filterInternalHeaders(rawReqHeaders);
 			const method = req.method ?? "GET";
@@ -1087,18 +1068,23 @@ async function startPagesRouterServer(options) {
 			let response;
 			if (typeof renderPage === "function") {
 				const middlewareResponseHeaders = toWebHeaders(middlewareHeaders);
-				const renderOptions = isDataReq ? { isDataReq: true } : void 0;
-				response = await renderPage(webRequest, resolvedUrl, ssrManifest, void 0, middlewareResponseHeaders, renderOptions);
-				if (response && response.status === 404 && configRewrites.fallback?.length) {
+				const renderPageMatch = matchPageRoute ? matchPageRoute(resolvedPathname, webRequest) : null;
+				const shouldDeferErrorPageOnMiss = !isDataReq && !!matchPageRoute && !renderPageMatch;
+				const dataRenderOptions = isDataReq ? { isDataReq: true } : void 0;
+				response = await renderPage(webRequest, resolvedUrl, ssrManifest, void 0, middlewareResponseHeaders, shouldDeferErrorPageOnMiss ? { renderErrorPageOnMiss: false } : dataRenderOptions);
+				let matchedFallbackRewrite = false;
+				if (response && response.status === 404 && shouldDeferErrorPageOnMiss && configRewrites.fallback?.length) {
 					const fallbackRewrite = matchRewrite(matchResolvedPathname(resolvedPathname), configRewrites.fallback, postMwReqCtx, basePathState);
 					if (fallbackRewrite) {
 						if (isExternalUrl(fallbackRewrite)) {
 							await sendWebResponse(await proxyExternalRequest(webRequest, fallbackRewrite), req, res, compress);
 							return;
 						}
-						response = await renderPage(webRequest, mergeRewriteQuery(resolvedUrl, fallbackRewrite), ssrManifest, void 0, middlewareResponseHeaders, renderOptions);
+						matchedFallbackRewrite = true;
+						response = await renderPage(webRequest, mergeRewriteQuery(resolvedUrl, fallbackRewrite), ssrManifest, void 0, middlewareResponseHeaders, dataRenderOptions);
 					}
 				}
+				if (response && response.status === 404 && shouldDeferErrorPageOnMiss && !matchedFallbackRewrite) response = await renderPage(webRequest, resolvedUrl, ssrManifest, void 0, middlewareResponseHeaders);
 			}
 			if (!response) {
 				res.writeHead(404);
@@ -1141,6 +1127,6 @@ async function startPagesRouterServer(options) {
 	};
 }
 //#endregion
-export { COMPRESSIBLE_TYPES, COMPRESS_THRESHOLD, mergeResponseHeaders, mergeWebResponse, negotiateEncoding, nodeToWebRequest, resolveAppRouterAssetPath, resolveAppRouterPrerenderSeeder, resolveHost, sendCompressed, sendWebResponse, startProdServer, trustProxy, trustedHosts, tryServeStatic };
+export { COMPRESSIBLE_TYPES, COMPRESS_THRESHOLD, mergeResponseHeaders, mergeWebResponse, negotiateEncoding, nodeToWebRequest, resolveAppRouterAssetPath, resolveAppRouterPrerenderSeeder, resolveRequestHost as resolveHost, sendCompressed, sendWebResponse, startProdServer, trustProxy, trustedHosts, tryServeStatic };
 
 //# sourceMappingURL=prod-server.js.map