webpack-dev-server 5.0.2 → 5.2.2

package/lib/Server.js

@@ -18,9 +18,6 @@ const schema = require("./options.json");
 /** @typedef {import("webpack").Stats} Stats */
 /** @typedef {import("webpack").MultiStats} MultiStats */
 /** @typedef {import("os").NetworkInterfaceInfo} NetworkInterfaceInfo */
-/** @typedef {import("express").NextFunction} NextFunction */
-/** @typedef {import("express").RequestHandler} ExpressRequestHandler */
-/** @typedef {import("express").ErrorRequestHandler} ExpressErrorRequestHandler */
 /** @typedef {import("chokidar").WatchOptions} WatchOptions */
 /** @typedef {import("chokidar").FSWatcher} FSWatcher */
 /** @typedef {import("connect-history-api-fallback").Options} ConnectHistoryApiFallbackOptions */
@@ -34,14 +31,32 @@ const schema = require("./options.json");
 /** @typedef {import("ipaddr.js").IPv4} IPv4 */
 /** @typedef {import("ipaddr.js").IPv6} IPv6 */
 /** @typedef {import("net").Socket} Socket */
+/** @typedef {import("http").Server} HTTPServer*/
 /** @typedef {import("http").IncomingMessage} IncomingMessage */
 /** @typedef {import("http").ServerResponse} ServerResponse */
 /** @typedef {import("open").Options} OpenOptions */
+/** @typedef {import("express").Application} ExpressApplication */
+/** @typedef {import("express").RequestHandler} ExpressRequestHandler */
+/** @typedef {import("express").ErrorRequestHandler} ExpressErrorRequestHandler */
+/** @typedef {import("express").Request} ExpressRequest */
+/** @typedef {import("express").Response} ExpressResponse */
+
+/** @typedef {(err?: any) => void} NextFunction */
+/** @typedef {(req: IncomingMessage, res: ServerResponse) => void} SimpleHandleFunction */
+/** @typedef {(req: IncomingMessage, res: ServerResponse, next: NextFunction) => void} NextHandleFunction */
+/** @typedef {(err: any, req: IncomingMessage, res: ServerResponse, next: NextFunction) => void} ErrorHandleFunction */
+/** @typedef {SimpleHandleFunction | NextHandleFunction | ErrorHandleFunction} HandleFunction */
 
 /** @typedef {import("https").ServerOptions & { spdy?: { plain?: boolean | undefined, ssl?: boolean | undefined, 'x-forwarded-for'?: string | undefined, protocol?: string | undefined, protocols?: string[] | undefined }}} ServerOptions */
 
-/** @typedef {import("express").Request} Request */
-/** @typedef {import("express").Response} Response */
+/**
+ * @template {BasicApplication} [T=ExpressApplication]
+ * @typedef {T extends ExpressApplication ? ExpressRequest : IncomingMessage} Request
+ */
+/**
+ * @template {BasicApplication} [T=ExpressApplication]
+ * @typedef {T extends ExpressApplication ? ExpressResponse : ServerResponse} Response
+ */
 
 /**
  * @template {Request} T
@@ -88,8 +103,16 @@ const schema = require("./options.json");
  */
 
 /**
+ * @template {BasicApplication} [A=ExpressApplication]
+ * @template {BasicServer} [S=import("http").Server]
+ * @typedef {"http" | "https" | "spdy" | "http2" | string | function(ServerOptions, A): S} ServerType
+ */
+
+/**
+ * @template {BasicApplication} [A=ExpressApplication]
+ * @template {BasicServer} [S=import("http").Server]
  * @typedef {Object} ServerConfiguration
- * @property {"http" | "https" | "spdy" | string} [type]
+ * @property {ServerType<A, S>} [type]
  * @property {ServerOptions} [options]
  */
 
@@ -126,10 +149,6 @@ const schema = require("./options.json");
  * @typedef {(ProxyConfigArrayItem | ((req?: Request | undefined, res?: Response | undefined, next?: NextFunction | undefined) => ProxyConfigArrayItem))[]} ProxyConfigArray
  */
 
-/**
- * @typedef {{ [url: string]: string | ProxyConfigArrayItem }} ProxyConfigMap
- */
-
 /**
  * @typedef {Object} OpenApp
  * @property {string} [name]
@@ -177,10 +196,23 @@ const schema = require("./options.json");
  */
 
 /**
- * @typedef {{ name?: string, path?: string, middleware: ExpressRequestHandler | ExpressErrorRequestHandler } | ExpressRequestHandler | ExpressErrorRequestHandler} Middleware
+ * @template {BasicApplication} [T=ExpressApplication]
+ * @typedef {T extends ExpressApplication ? ExpressRequestHandler | ExpressErrorRequestHandler : HandleFunction} MiddlewareHandler
+ */
+
+/**
+ * @typedef {{ name?: string, path?: string, middleware: MiddlewareHandler }} MiddlewareObject
+ */
+
+/**
+ * @typedef {MiddlewareObject | MiddlewareHandler } Middleware
  */
 
+/** @typedef {import("net").Server | import("tls").Server} BasicServer */
+
 /**
+ * @template {BasicApplication} [A=ExpressApplication]
+ * @template {BasicServer} [S=import("http").Server]
  * @typedef {Object} Configuration
  * @property {boolean | string} [ipc]
  * @property {Host} [host]
@@ -194,17 +226,16 @@ const schema = require("./options.json");
  * @property {boolean | Record<string, never> | BonjourOptions} [bonjour]
  * @property {string | string[] | WatchFiles | Array<string | WatchFiles>} [watchFiles]
  * @property {boolean | string | Static | Array<string | Static>} [static]
- * @property {boolean | ServerOptions} [https]
- * @property {boolean} [http2]
- * @property {"http" | "https" | "spdy" | string | ServerConfiguration} [server]
+ * @property {ServerType<A, S> | ServerConfiguration<A, S>} [server]
+ * @property {() => Promise<A>} [app]
  * @property {boolean | "sockjs" | "ws" | string | WebSocketServerConfiguration} [webSocketServer]
- * @property {ProxyConfigMap | ProxyConfigArrayItem | ProxyConfigArray} [proxy]
+ * @property {ProxyConfigArray} [proxy]
  * @property {boolean | string | Open | Array<string | Open>} [open]
  * @property {boolean} [setupExitSignals]
  * @property {boolean | ClientConfiguration} [client]
- * @property {Headers | ((req: Request, res: Response, context: DevMiddlewareContext<Request, Response>) => Headers)} [headers]
- * @property {(devServer: Server) => void} [onListening]
- * @property {(middlewares: Middleware[], devServer: Server) => Middleware[]} [setupMiddlewares]
+ * @property {Headers | ((req: Request, res: Response, context: DevMiddlewareContext<Request, Response> | undefined) => Headers)} [headers]
+ * @property {(devServer: Server<A, S>) => void} [onListening]
+ * @property {(middlewares: Middleware[], devServer: Server<A, S>) => Middleware[]} [setupMiddlewares]
  */
 
 if (!process.env.WEBPACK_SERVE) {
@@ -249,10 +280,48 @@ const encodeOverlaySettings = (setting) =>
     ? encodeURIComponent(setting.toString())
     : setting;
 
+// Working for overload, because typescript doesn't support this yes
+/**
+ * @overload
+ * @param {NextHandleFunction} fn
+ * @returns {BasicApplication}
+ */
+/**
+ * @overload
+ * @param {HandleFunction} fn
+ * @returns {BasicApplication}
+ */
+/**
+ * @overload
+ * @param {string} route
+ * @param {NextHandleFunction} fn
+ * @returns {BasicApplication}
+ */
+/**
+ * @param {string} route
+ * @param {HandleFunction} fn
+ * @returns {BasicApplication}
+ */
+// eslint-disable-next-line no-unused-vars
+function useFn(route, fn) {
+  return /** @type {BasicApplication} */ ({});
+}
+
+const DEFAULT_ALLOWED_PROTOCOLS = /^(file|.+-extension):/i;
+
+/**
+ * @typedef {Object} BasicApplication
+ * @property {typeof useFn} use
+ */
+
+/**
+ * @template {BasicApplication} [A=ExpressApplication]
+ * @template {BasicServer} [S=HTTPServer]
+ */
 class Server {
   /**
-   * @param {Configuration | Compiler | MultiCompiler} options
-   * @param {Compiler | MultiCompiler | Configuration} compiler
+   * @param {Configuration<A, S>} options
+   * @param {Compiler | MultiCompiler} compiler
    */
   constructor(options = {}, compiler) {
     validate(/** @type {Schema} */ (schema), options, {
@@ -260,12 +329,12 @@ class Server {
       baseDataPath: "options",
     });
 
-    this.compiler = /** @type {Compiler | MultiCompiler} */ (compiler);
+    this.compiler = compiler;
     /**
      * @type {ReturnType<Compiler["getInfrastructureLogger"]>}
      * */
     this.logger = this.compiler.getInfrastructureLogger("webpack-dev-server");
-    this.options = /** @type {Configuration} */ (options);
+    this.options = options;
     /**
      * @type {FSWatcher[]}
      */
@@ -328,11 +397,61 @@ class Server {
   }
 
   /**
-   * @param {string} gateway
+   * @param {string} gatewayOrFamily or family
+   * @param {boolean} [isInternal] ip should be internal
    * @returns {string | undefined}
    */
-  static findIp(gateway) {
-    const gatewayIp = ipaddr.parse(gateway);
+  static findIp(gatewayOrFamily, isInternal) {
+    if (gatewayOrFamily === "v4" || gatewayOrFamily === "v6") {
+      let host;
+
+      const networks = Object.values(os.networkInterfaces())
+        // eslint-disable-next-line no-shadow
+        .flatMap((networks) => networks ?? [])
+        .filter((network) => {
+          if (!network || !network.address) {
+            return false;
+          }
+
+          if (network.family !== `IP${gatewayOrFamily}`) {
+            return false;
+          }
+
+          if (
+            typeof isInternal !== "undefined" &&
+            network.internal !== isInternal
+          ) {
+            return false;
+          }
+
+          if (gatewayOrFamily === "v6") {
+            const range = ipaddr.parse(network.address).range();
+
+            if (
+              range !== "ipv4Mapped" &&
+              range !== "uniqueLocal" &&
+              range !== "loopback"
+            ) {
+              return false;
+            }
+          }
+
+          return network.address;
+        });
+
+      if (networks.length > 0) {
+        // Take the first network found
+        host = networks[0].address;
+
+        if (host.includes(":")) {
+          host = `[${host}]`;
+        }
+      }
+
+      return host;
+    }
+
+    const gatewayIp = ipaddr.parse(gatewayOrFamily);
 
     // Look for the matching interface in all local interfaces.
     for (const addresses of Object.values(os.networkInterfaces())) {
@@ -352,32 +471,22 @@ class Server {
     }
   }
 
+  // TODO remove me in the next major release, we have `findIp`
   /**
    * @param {"v4" | "v6"} family
    * @returns {Promise<string | undefined>}
    */
   static async internalIP(family) {
-    try {
-      const { gateway } = await require("default-gateway")[family]();
-
-      return Server.findIp(gateway);
-    } catch {
-      // ignore
-    }
+    return Server.findIp(family, false);
   }
 
+  // TODO remove me in the next major release, we have `findIp`
   /**
    * @param {"v4" | "v6"} family
    * @returns {string | undefined}
    */
   static internalIPSync(family) {
-    try {
-      const { gateway } = require("default-gateway")[family].sync();
-
-      return Server.findIp(gateway);
-    } catch {
-      // ignore
-    }
+    return Server.findIp(family, false);
   }
 
   /**
@@ -387,14 +496,12 @@ class Server {
   static async getHostname(hostname) {
     if (hostname === "local-ip") {
       return (
-        (await Server.internalIP("v4")) ||
-        (await Server.internalIP("v6")) ||
-        "0.0.0.0"
+        Server.findIp("v4", false) || Server.findIp("v6", false) || "0.0.0.0"
       );
     } else if (hostname === "local-ipv4") {
-      return (await Server.internalIP("v4")) || "0.0.0.0";
+      return Server.findIp("v4", false) || "0.0.0.0";
     } else if (hostname === "local-ipv6") {
-      return (await Server.internalIP("v6")) || "::";
+      return Server.findIp("v6", false) || "::";
     }
 
     return hostname;
@@ -474,7 +581,11 @@ class Server {
    * @returns bool
    */
   static isWebTarget(compiler) {
-    // TODO improve for the next major version - we should store `web` and other targets in `compiler.options.environment`
+    if (compiler.platform && compiler.platform.web) {
+      return compiler.platform.web;
+    }
+
+    // TODO improve for the next major version and keep only `webTargets` to fallback for old versions
     if (
       compiler.options.externalsPresets &&
       compiler.options.externalsPresets.web
@@ -494,6 +605,7 @@ class Server {
       "webworker",
       "electron-preload",
       "electron-renderer",
+      "nwjs",
       "node-webkit",
       // eslint-disable-next-line no-undefined
       undefined,
@@ -541,9 +653,7 @@ class Server {
         if (typeof webSocketURL.protocol !== "undefined") {
           protocol = webSocketURL.protocol;
         } else {
-          protocol =
-            /** @type {ServerConfiguration} */
-            (this.options.server).type === "http" ? "ws:" : "wss:";
+          protocol = this.isTlsServer ? "wss:" : "ws:";
         }
 
         searchParams.set("protocol", protocol);
@@ -687,15 +797,12 @@ class Server {
         webSocketURLStr = searchParams.toString();
       }
 
-      additionalEntries.push(
-        `${require.resolve("../client/index.js")}?${webSocketURLStr}`,
-      );
+      additionalEntries.push(`${this.getClientEntry()}?${webSocketURLStr}`);
     }
 
-    if (this.options.hot === "only") {
-      additionalEntries.push(require.resolve("webpack/hot/only-dev-server"));
-    } else if (this.options.hot) {
-      additionalEntries.push(require.resolve("webpack/hot/dev-server"));
+    const clientHotEntry = this.getClientHotEntry();
+    if (clientHotEntry) {
+      additionalEntries.push(clientHotEntry);
     }
 
     const webpack = compiler.webpack || require("webpack");
@@ -1011,39 +1118,41 @@ class Server {
         ? options.hot
         : true;
 
-    options.server = {
-      type:
-        // eslint-disable-next-line no-nested-ternary
-        typeof options.server === "string"
-          ? options.server
-          : typeof (options.server || {}).type === "string"
-            ? /** @type {ServerConfiguration} */ (options.server).type || "http"
-            : "http",
-      options: {
-        .../** @type {ServerOptions} */ (options.https),
-        .../** @type {ServerConfiguration} */ (options.server || {}).options,
-      },
-    };
+    if (
+      typeof options.server === "function" ||
+      typeof options.server === "string"
+    ) {
+      options.server = {
+        type: options.server,
+        options: {},
+      };
+    } else {
+      const serverOptions =
+        /** @type {ServerConfiguration<A, S>} */
+        (options.server || {});
+
+      options.server = {
+        type: serverOptions.type || "http",
+        options: { ...serverOptions.options },
+      };
+    }
+
+    const serverOptions = /** @type {ServerOptions} */ (options.server.options);
 
     if (
       options.server.type === "spdy" &&
-      typeof (/** @type {ServerOptions} */ (options.server.options).spdy) ===
-        "undefined"
+      typeof serverOptions.spdy === "undefined"
     ) {
-      /** @type {ServerOptions} */
-      (options.server.options).spdy = {
-        protocols: ["h2", "http/1.1"],
-      };
+      serverOptions.spdy = { protocols: ["h2", "http/1.1"] };
     }
 
-    if (options.server.type === "https" || options.server.type === "spdy") {
-      if (
-        typeof (
-          /** @type {ServerOptions} */ (options.server.options).requestCert
-        ) === "undefined"
-      ) {
-        /** @type {ServerOptions} */
-        (options.server.options).requestCert = false;
+    if (
+      options.server.type === "https" ||
+      options.server.type === "http2" ||
+      options.server.type === "spdy"
+    ) {
+      if (typeof serverOptions.requestCert === "undefined") {
+        serverOptions.requestCert = false;
       }
 
       const httpsProperties =
@@ -1051,19 +1160,13 @@ class Server {
         (["ca", "cert", "crl", "key", "pfx"]);
 
       for (const property of httpsProperties) {
-        if (
-          typeof (
-            /** @type {ServerOptions} */ (options.server.options)[property]
-          ) === "undefined"
-        ) {
+        if (typeof serverOptions[property] === "undefined") {
           // eslint-disable-next-line no-continue
           continue;
         }
 
         /** @type {any} */
-        const value =
-          /** @type {ServerOptions} */
-          (options.server.options)[property];
+        const value = serverOptions[property];
         /**
          * @param {string | Buffer | undefined} item
          * @returns {string | Buffer | undefined}
@@ -1091,17 +1194,14 @@ class Server {
         };
 
         /** @type {any} */
-        (options.server.options)[property] = Array.isArray(value)
+        (serverOptions)[property] = Array.isArray(value)
           ? value.map((item) => readFile(item))
           : readFile(value);
       }
 
       let fakeCert;
 
-      if (
-        !(/** @type {ServerOptions} */ (options.server.options).key) ||
-        !(/** @type {ServerOptions} */ (options.server.options).cert)
-      ) {
+      if (!serverOptions.key || !serverOptions.cert) {
         const certificateDir = Server.findCacheDir();
         const certificatePath = path.join(certificateDir, "server.pem");
         let certificateExists;
@@ -1120,13 +1220,11 @@ class Server {
 
           // cert is more than 30 days old, kill it with fire
           if ((now - Number(certificateStat.ctime)) / certificateTtl > 30) {
-            const { rimraf } = require("rimraf");
-
             this.logger.info(
               "SSL certificate is more than 30 days old. Removing...",
             );
 
-            await rimraf(certificatePath);
+            await fs.promises.rm(certificatePath, { recursive: true });
 
             certificateExists = false;
           }
@@ -1135,7 +1233,6 @@ class Server {
         if (!certificateExists) {
           this.logger.info("Generating SSL certificate...");
 
-          // @ts-ignore
           const selfsigned = require("selfsigned");
           const attributes = [{ name: "commonName", value: "localhost" }];
           const pems = selfsigned.generate(attributes, {
@@ -1216,14 +1313,8 @@ class Server {
         this.logger.info(`SSL certificate: ${certificatePath}`);
       }
 
-      /** @type {ServerOptions} */
-      (options.server.options).key =
-        /** @type {ServerOptions} */
-        (options.server.options).key || fakeCert;
-      /** @type {ServerOptions} */
-      (options.server.options).cert =
-        /** @type {ServerOptions} */
-        (options.server.options).cert || fakeCert;
+      serverOptions.key = serverOptions.key || fakeCert;
+      serverOptions.cert = serverOptions.cert || fakeCert;
     }
 
     if (typeof options.ipc === "boolean") {
@@ -1285,15 +1376,15 @@ class Server {
        */
       const result = [];
 
-      options.open.forEach((item) => {
+      for (const item of options.open) {
         if (typeof item === "string") {
           result.push({ target: item, options: defaultOpenOptions });
-
-          return;
+          // eslint-disable-next-line no-continue
+          continue;
         }
 
         result.push(...getOpenItemsFromObject(item));
-      });
+      }
 
       /** @type {NormalizedOpen[]} */
       (options.open) = result;
@@ -1317,48 +1408,45 @@ class Server {
      * }
      */
     if (typeof options.proxy !== "undefined") {
-      /** @type {ProxyConfigArray} */
-      (options.proxy) =
-        /** @type {ProxyConfigArray} */
-        (options.proxy).map((item) => {
-          if (typeof item === "function") {
-            return item;
-          }
+      options.proxy = options.proxy.map((item) => {
+        if (typeof item === "function") {
+          return item;
+        }
 
-          /**
-           * @param {"info" | "warn" | "error" | "debug" | "silent" | undefined | "none" | "log" | "verbose"} level
-           * @returns {"info" | "warn" | "error" | "debug" | "silent" | undefined}
-           */
-          const getLogLevelForProxy = (level) => {
-            if (level === "none") {
-              return "silent";
-            }
+        /**
+         * @param {"info" | "warn" | "error" | "debug" | "silent" | undefined | "none" | "log" | "verbose"} level
+         * @returns {"info" | "warn" | "error" | "debug" | "silent" | undefined}
+         */
+        const getLogLevelForProxy = (level) => {
+          if (level === "none") {
+            return "silent";
+          }
 
-            if (level === "log") {
-              return "info";
-            }
+          if (level === "log") {
+            return "info";
+          }
 
-            if (level === "verbose") {
-              return "debug";
-            }
+          if (level === "verbose") {
+            return "debug";
+          }
 
-            return level;
-          };
+          return level;
+        };
 
-          if (typeof item.logLevel === "undefined") {
-            item.logLevel = getLogLevelForProxy(
-              compilerOptions.infrastructureLogging
-                ? compilerOptions.infrastructureLogging.level
-                : "info",
-            );
-          }
+        if (typeof item.logLevel === "undefined") {
+          item.logLevel = getLogLevelForProxy(
+            compilerOptions.infrastructureLogging
+              ? compilerOptions.infrastructureLogging.level
+              : "info",
+          );
+        }
 
-          if (typeof item.logProvider === "undefined") {
-            item.logProvider = () => this.logger;
-          }
+        if (typeof item.logProvider === "undefined") {
+          item.logProvider = () => this.logger;
+        }
 
-          return item;
-        });
+        return item;
+      });
     }
 
     if (typeof options.setupExitSignals === "undefined") {
@@ -1529,8 +1617,9 @@ class Server {
   }
 
   /**
+   * @template T
    * @private
-   * @returns {string}
+   * @returns {T}
    */
   getServerTransport() {
     let implementation;
@@ -1560,9 +1649,8 @@ class Server {
           try {
             // eslint-disable-next-line import/no-dynamic-require
             implementation = require(
-              /** @type {WebSocketServerConfiguration} */ (
-                this.options.webSocketServer
-              ).type,
+              /** @type {WebSocketServerConfiguration} */
+              (this.options.webSocketServer).type,
             );
           } catch (error) {
             implementationFound = false;
@@ -1570,9 +1658,9 @@ class Server {
         }
         break;
       case "function":
-        implementation = /** @type {WebSocketServerConfiguration} */ (
-          this.options.webSocketServer
-        ).type;
+        implementation =
+          /** @type {WebSocketServerConfiguration} */
+          (this.options.webSocketServer).type;
         break;
       default:
         implementationFound = false;
@@ -1589,6 +1677,25 @@ class Server {
     return implementation;
   }
 
+  /**
+   * @returns {string}
+   */
+  // eslint-disable-next-line class-methods-use-this
+  getClientEntry() {
+    return require.resolve("../client/index.js");
+  }
+
+  /**
+   * @returns {string | void}
+   */
+  getClientHotEntry() {
+    if (this.options.hot === "only") {
+      return require.resolve("webpack/hot/only-dev-server");
+    } else if (this.options.hot) {
+      return require.resolve("webpack/hot/dev-server");
+    }
+  }
+
   /**
    * @private
    * @returns {void}
@@ -1638,12 +1745,22 @@ class Server {
    * @returns {Promise<void>}
    */
   async initialize() {
+    this.setupHooks();
+
+    await this.setupApp();
+    await this.createServer();
+
     if (this.options.webSocketServer) {
       const compilers =
         /** @type {MultiCompiler} */
         (this.compiler).compilers || [this.compiler];
 
-      compilers.forEach((compiler) => {
+      for (const compiler of compilers) {
+        if (compiler.options.devServer === false) {
+          // eslint-disable-next-line no-continue
+          continue;
+        }
+
         this.addAdditionalEntries(compiler);
 
         const webpack = compiler.webpack || require("webpack");
@@ -1668,7 +1785,7 @@ class Server {
             plugin.apply(compiler);
           }
         }
-      });
+      }
 
       if (
         this.options.client &&
@@ -1678,16 +1795,9 @@ class Server {
       }
     }
 
-    this.setupHooks();
-    this.setupApp();
-    this.setupHostHeaderCheck();
-    this.setupDevMiddleware();
-    // Should be after `webpack-dev-middleware`, otherwise other middlewares might rewrite response
-    this.setupBuiltInRoutes();
     this.setupWatchFiles();
     this.setupWatchStaticFiles();
     this.setupMiddlewares();
-    this.createServer();
 
     if (this.options.setupExitSignals) {
       const signals = ["SIGINT", "SIGTERM"];
@@ -1725,24 +1835,30 @@ class Server {
 
     // Proxy WebSocket without the initial http request
     // https://github.com/chimurai/http-proxy-middleware#external-websocket-upgrade
-    /** @type {RequestHandler[]} */
-    (this.webSocketProxies).forEach((webSocketProxy) => {
-      /** @type {import("http").Server} */
+    const webSocketProxies =
+      /** @type {RequestHandler[]} */
+      (this.webSocketProxies);
+
+    for (const webSocketProxy of webSocketProxies) {
+      /** @type {S} */
       (this.server).on(
         "upgrade",
         /** @type {RequestHandler & { upgrade: NonNullable<RequestHandler["upgrade"]> }} */
         (webSocketProxy).upgrade,
       );
-    }, this);
+    }
   }
 
   /**
    * @private
-   * @returns {void}
+   * @returns {Promise<void>}
    */
-  setupApp() {
-    /** @type {import("express").Application | undefined}*/
-    this.app = new /** @type {any} */ (getExpress())();
+  async setupApp() {
+    /** @type {A | undefined}*/
+    this.app =
+      typeof this.options.app === "function"
+        ? await this.options.app()
+        : getExpress()();
   }
 
   /**
@@ -1796,204 +1912,330 @@ class Server {
    * @private
    * @returns {void}
    */
-  setupHostHeaderCheck() {
-    /** @type {import("express").Application} */
-    (this.app).all(
-      "*",
-      /**
-       * @param {Request} req
-       * @param {Response} res
-       * @param {NextFunction} next
-       * @returns {void}
-       */
-      (req, res, next) => {
-        if (
-          this.checkHeader(
-            /** @type {{ [key: string]: string | undefined }} */
-            (req.headers),
-            "host",
-          )
-        ) {
-          return next();
-        }
+  setupWatchStaticFiles() {
+    const watchFiles = /** @type {NormalizedStatic[]} */ (this.options.static);
 
-        res.send("Invalid Host header");
-      },
-    );
+    if (watchFiles.length > 0) {
+      for (const item of watchFiles) {
+        if (item.watch) {
+          this.watchFiles(item.directory, item.watch);
+        }
+      }
+    }
   }
 
   /**
    * @private
    * @returns {void}
    */
-  setupDevMiddleware() {
-    const webpackDevMiddleware = require("webpack-dev-middleware");
+  setupWatchFiles() {
+    const watchFiles = /** @type {WatchFiles[]} */ (this.options.watchFiles);
 
-    // middleware for serving webpack bundle
-    this.middleware = webpackDevMiddleware(
-      this.compiler,
-      this.options.devMiddleware,
-    );
+    if (watchFiles.length > 0) {
+      for (const item of watchFiles) {
+        this.watchFiles(item.paths, item.options);
+      }
+    }
   }
 
   /**
    * @private
    * @returns {void}
    */
-  setupBuiltInRoutes() {
-    const { app, middleware } = this;
+  setupMiddlewares() {
+    /**
+     * @type {Array<Middleware>}
+     */
+    let middlewares = [];
 
-    /** @type {import("express").Application} */
-    (app).get("/__webpack_dev_server__/sockjs.bundle.js", (req, res) => {
-      res.setHeader("Content-Type", "application/javascript");
+    // Register setup host header check for security
+    middlewares.push({
+      name: "host-header-check",
+      /**
+       * @param {Request} req
+       * @param {Response} res
+       * @param {NextFunction} next
+       * @returns {void}
+       */
+      middleware: (req, res, next) => {
+        const headers =
+          /** @type {{ [key: string]: string | undefined }} */
+          (req.headers);
+        const headerName = headers[":authority"] ? ":authority" : "host";
 
-      const clientPath = path.join(__dirname, "..", "client");
+        if (this.isValidHost(headers, headerName)) {
+          next();
+          return;
+        }
 
-      res.sendFile(path.join(clientPath, "modules/sockjs-client/index.js"));
+        res.statusCode = 403;
+        res.end("Invalid Host header");
+      },
     });
 
-    /** @type {import("express").Application} */
-    (app).get("/webpack-dev-server/invalidate", (_req, res) => {
-      this.invalidate();
+    // Register setup cross origin request check for security
+    middlewares.push({
+      name: "cross-origin-header-check",
+      /**
+       * @param {Request} req
+       * @param {Response} res
+       * @param {NextFunction} next
+       * @returns {void}
+       */
+      middleware: (req, res, next) => {
+        const headers =
+          /** @type {{ [key: string]: string | undefined }} */
+          (req.headers);
+        const headerName = headers[":authority"] ? ":authority" : "host";
+
+        if (this.isValidHost(headers, headerName, false)) {
+          next();
+          return;
+        }
+
+        if (
+          headers["sec-fetch-mode"] === "no-cors" &&
+          headers["sec-fetch-site"] === "cross-site"
+        ) {
+          res.statusCode = 403;
+          res.end("Cross-Origin request blocked");
+          return;
+        }
 
-      res.end();
+        next();
+      },
     });
 
-    /** @type {import("express").Application} */
-    (app).get("/webpack-dev-server/open-editor", (req, res) => {
-      const fileName = req.query.fileName;
+    const isHTTP2 =
+      /** @type {ServerConfiguration<A, S>} */ (this.options.server).type ===
+      "http2";
 
-      if (typeof fileName === "string") {
-        // @ts-ignore
-        const launchEditor = require("launch-editor");
-        launchEditor(fileName);
-      }
+    if (isHTTP2) {
+      // TODO patch for https://github.com/pillarjs/finalhandler/pull/45, need remove then will be resolved
+      middlewares.push({
+        name: "http2-status-message-patch",
+        middleware:
+          /** @type {NextHandleFunction} */
+          (_req, res, next) => {
+            Object.defineProperty(res, "statusMessage", {
+              get() {
+                return "";
+              },
+              set() {},
+            });
+
+            next();
+          },
+      });
+    }
+
+    // compress is placed last and uses unshift so that it will be the first middleware used
+    if (this.options.compress && !isHTTP2) {
+      const compression = require("compression");
+
+      middlewares.push({ name: "compression", middleware: compression() });
+    }
+
+    if (typeof this.options.headers !== "undefined") {
+      middlewares.push({
+        name: "set-headers",
+        middleware: this.setHeaders.bind(this),
+      });
+    }
 
-      res.end();
+    middlewares.push({
+      name: "webpack-dev-middleware",
+      middleware: /** @type {MiddlewareHandler} */ (this.middleware),
     });
 
-    /** @type {import("express").Application} */
-    (app).get("/webpack-dev-server", (req, res) => {
-      /** @type {import("webpack-dev-middleware").API<Request, Response>}*/
-      (middleware).waitUntilValid((stats) => {
-        res.setHeader("Content-Type", "text/html");
-        // HEAD requests should not return body content
-        if (req.method === "HEAD") {
-          res.end();
+    // Should be after `webpack-dev-middleware`, otherwise other middlewares might rewrite response
+    middlewares.push({
+      name: "webpack-dev-server-sockjs-bundle",
+      path: "/__webpack_dev_server__/sockjs.bundle.js",
+      /**
+       * @param {Request} req
+       * @param {Response} res
+       * @param {NextFunction} next
+       * @returns {void}
+       */
+      middleware: (req, res, next) => {
+        if (req.method !== "GET" && req.method !== "HEAD") {
+          next();
           return;
         }
-        res.write(
-          '<!DOCTYPE html><html><head><meta charset="utf-8"/></head><body>',
-        );
 
-        const statsForPrint =
-          typeof (/** @type {MultiStats} */ (stats).stats) !== "undefined"
-            ? /** @type {MultiStats} */ (stats).toJson().children
-            : [/** @type {Stats} */ (stats).toJson()];
-
-        res.write(`<h1>Assets Report:</h1>`);
+        const clientPath = path.join(
+          __dirname,
+          "..",
+          "client/modules/sockjs-client/index.js",
+        );
 
-        /**
-         * @type {StatsCompilation[]}
-         */
-        (statsForPrint).forEach((item, index) => {
-          res.write("<div>");
+        // Express send Etag and other headers by default, so let's keep them for compatibility reasons
+        if (typeof res.sendFile === "function") {
+          res.sendFile(clientPath);
+          return;
+        }
 
-          const name =
-            // eslint-disable-next-line no-nested-ternary
-            typeof item.name !== "undefined"
-              ? item.name
-              : /** @type {MultiStats} */ (stats).stats
-                ? `unnamed[${index}]`
-                : "unnamed";
+        let stats;
 
-          res.write(`<h2>Compilation: ${name}</h2>`);
-          res.write("<ul>");
+        try {
+          // TODO implement `inputFileSystem.createReadStream` in webpack
+          stats = fs.statSync(clientPath);
+        } catch (err) {
+          next();
+          return;
+        }
 
-          const publicPath = item.publicPath === "auto" ? "" : item.publicPath;
+        res.setHeader("Content-Type", "application/javascript; charset=UTF-8");
+        res.setHeader("Content-Length", stats.size);
 
-          for (const asset of /** @type {NonNullable<StatsCompilation["assets"]>} */ (
-            item.assets
-          )) {
-            const assetName = asset.name;
-            const assetURL = `${publicPath}${assetName}`;
+        if (req.method === "HEAD") {
+          res.end();
+          return;
+        }
 
-            res.write(
-              `<li>
-              <strong><a href="${assetURL}" target="_blank">${assetName}</a></strong>
-            </li>`,
-            );
-          }
+        fs.createReadStream(clientPath).pipe(res);
+      },
+    });
 
-          res.write("</ul>");
-          res.write("</div>");
-        });
+    middlewares.push({
+      name: "webpack-dev-server-invalidate",
+      path: "/webpack-dev-server/invalidate",
+      /**
+       * @param {Request} req
+       * @param {Response} res
+       * @param {NextFunction} next
+       * @returns {void}
+       */
+      middleware: (req, res, next) => {
+        if (req.method !== "GET" && req.method !== "HEAD") {
+          next();
+          return;
+        }
 
-        res.end("</body></html>");
-      });
+        this.invalidate();
+
+        res.end();
+      },
     });
-  }
 
-  /**
-   * @private
-   * @returns {void}
-   */
-  setupWatchStaticFiles() {
-    if (/** @type {NormalizedStatic[]} */ (this.options.static).length > 0) {
-      /** @type {NormalizedStatic[]} */
-      (this.options.static).forEach((staticOption) => {
-        if (staticOption.watch) {
-          this.watchFiles(staticOption.directory, staticOption.watch);
+    middlewares.push({
+      name: "webpack-dev-server-open-editor",
+      path: "/webpack-dev-server/open-editor",
+      /**
+       * @param {Request} req
+       * @param {Response} res
+       * @param {NextFunction} next
+       * @returns {void}
+       */
+      middleware: (req, res, next) => {
+        if (req.method !== "GET" && req.method !== "HEAD") {
+          next();
+          return;
         }
-      });
-    }
-  }
 
-  /**
-   * @private
-   * @returns {void}
-   */
-  setupWatchFiles() {
-    const { watchFiles } = this.options;
-
-    if (/** @type {WatchFiles[]} */ (watchFiles).length > 0) {
-      /** @type {WatchFiles[]} */
-      (watchFiles).forEach((item) => {
-        this.watchFiles(item.paths, item.options);
-      });
-    }
-  }
+        if (!req.url) {
+          next();
+          return;
+        }
 
-  /**
-   * @private
-   * @returns {void}
-   */
-  setupMiddlewares() {
-    /**
-     * @type {Array<Middleware>}
-     */
-    let middlewares = [];
+        const resolveUrl = new URL(req.url, `http://${req.headers.host}`);
+        const params = new URLSearchParams(resolveUrl.search);
+        const fileName = params.get("fileName");
 
-    // compress is placed last and uses unshift so that it will be the first middleware used
-    if (this.options.compress) {
-      const compression = require("compression");
+        if (typeof fileName === "string") {
+          // @ts-ignore
+          const launchEditor = require("launch-editor");
 
-      middlewares.push({ name: "compression", middleware: compression() });
-    }
+          launchEditor(fileName);
+        }
 
-    if (typeof this.options.headers !== "undefined") {
-      middlewares.push({
-        name: "set-headers",
-        path: "*",
-        middleware: this.setHeaders.bind(this),
-      });
-    }
+        res.end();
+      },
+    });
 
     middlewares.push({
-      name: "webpack-dev-middleware",
-      middleware:
-        /** @type {import("webpack-dev-middleware").Middleware<Request, Response>}*/
-        (this.middleware),
+      name: "webpack-dev-server-assets",
+      path: "/webpack-dev-server",
+      /**
+       * @param {Request} req
+       * @param {Response} res
+       * @param {NextFunction} next
+       * @returns {void}
+       */
+      middleware: (req, res, next) => {
+        if (req.method !== "GET" && req.method !== "HEAD") {
+          next();
+          return;
+        }
+
+        if (!this.middleware) {
+          next();
+          return;
+        }
+
+        this.middleware.waitUntilValid((stats) => {
+          res.setHeader("Content-Type", "text/html; charset=utf-8");
+
+          // HEAD requests should not return body content
+          if (req.method === "HEAD") {
+            res.end();
+            return;
+          }
+
+          res.write(
+            '<!DOCTYPE html><html><head><meta charset="utf-8"/></head><body>',
+          );
+
+          /**
+           * @type {StatsCompilation[]}
+           */
+          const statsForPrint =
+            typeof (/** @type {MultiStats} */ (stats).stats) !== "undefined"
+              ? /** @type {NonNullable<StatsCompilation["children"]>} */
+                (/** @type {MultiStats} */ (stats).toJson().children)
+              : [/** @type {Stats} */ (stats).toJson()];
+
+          res.write(`<h1>Assets Report:</h1>`);
+
+          for (const [index, item] of statsForPrint.entries()) {
+            res.write("<div>");
+
+            const name =
+              // eslint-disable-next-line no-nested-ternary
+              typeof item.name !== "undefined"
+                ? item.name
+                : /** @type {MultiStats} */ (stats).stats
+                  ? `unnamed[${index}]`
+                  : "unnamed";
+
+            res.write(`<h2>Compilation: ${name}</h2>`);
+            res.write("<ul>");
+
+            const publicPath =
+              item.publicPath === "auto" ? "" : item.publicPath;
+            const assets =
+              /** @type {NonNullable<StatsCompilation["assets"]>} */
+              (item.assets);
+
+            for (const asset of assets) {
+              const assetName = asset.name;
+              const assetURL = `${publicPath}${assetName}`;
+
+              res.write(
+                `<li>
+              <strong><a href="${assetURL}" target="_blank">${assetName}</a></strong>
+            </li>`,
+              );
+            }
+
+            res.write("</ul>");
+            res.write("</div>");
+          }
+
+          res.end("</body></html>");
+        });
+      },
     });
 
     if (this.options.proxy) {
@@ -2045,8 +2287,7 @@ class Server {
        *   }
        * ]
        */
-      /** @type {ProxyConfigArray} */
-      (this.options.proxy).forEach((proxyConfigOrCallback) => {
+      this.options.proxy.forEach((proxyConfigOrCallback) => {
         /**
          * @type {RequestHandler}
          */
@@ -2114,8 +2355,8 @@ class Server {
 
           if (typeof bypassUrl === "boolean") {
             // skip the proxy
-            // @ts-ignore
-            req.url = null;
+            res.statusCode = 404;
+            req.url = "";
             next();
           } else if (typeof bypassUrl === "string") {
             // byPass to that url
@@ -2132,6 +2373,7 @@ class Server {
           name: "http-proxy-middleware",
           middleware: handler,
         });
+
         // Also forward error requests to the proxy so it can handle them.
         middlewares.push({
           name: "http-proxy-middleware-error-handler",
@@ -2149,16 +2391,17 @@ class Server {
 
       middlewares.push({
         name: "webpack-dev-middleware",
-        middleware:
-          /** @type {import("webpack-dev-middleware").Middleware<Request, Response>}*/
-          (this.middleware),
+        middleware: /** @type {MiddlewareHandler} */ (this.middleware),
       });
     }
 
-    if (/** @type {NormalizedStatic[]} */ (this.options.static).length > 0) {
+    const staticOptions =
       /** @type {NormalizedStatic[]} */
-      (this.options.static).forEach((staticOption) => {
-        staticOption.publicPath.forEach((publicPath) => {
+      (this.options.static);
+
+    if (staticOptions.length > 0) {
+      for (const staticOption of staticOptions) {
+        for (const publicPath of staticOption.publicPath) {
           middlewares.push({
             name: "express-static",
             path: publicPath,
@@ -2167,8 +2410,8 @@ class Server {
               staticOption.staticOptions,
             ),
           });
-        });
-      });
+        }
+      }
     }
 
     if (this.options.historyApiFallback) {
@@ -2205,15 +2448,12 @@ class Server {
       // it is able to handle '/index.html' request after redirect
       middlewares.push({
         name: "webpack-dev-middleware",
-        middleware:
-          /** @type {import("webpack-dev-middleware").Middleware<Request, Response>}*/
-          (this.middleware),
+        middleware: /** @type {MiddlewareHandler} */ (this.middleware),
       });
 
-      if (/** @type {NormalizedStatic[]} */ (this.options.static).length > 0) {
-        /** @type {NormalizedStatic[]} */
-        (this.options.static).forEach((staticOption) => {
-          staticOption.publicPath.forEach((publicPath) => {
+      if (staticOptions.length > 0) {
+        for (const staticOption of staticOptions) {
+          for (const publicPath of staticOption.publicPath) {
             middlewares.push({
               name: "express-static",
               path: publicPath,
@@ -2222,17 +2462,16 @@ class Server {
                 staticOption.staticOptions,
               ),
             });
-          });
-        });
+          }
+        }
       }
     }
 
-    if (/** @type {NormalizedStatic[]} */ (this.options.static).length > 0) {
+    if (staticOptions.length > 0) {
       const serveIndex = require("serve-index");
 
-      /** @type {NormalizedStatic[]} */
-      (this.options.static).forEach((staticOption) => {
-        staticOption.publicPath.forEach((publicPath) => {
+      for (const staticOption of staticOptions) {
+        for (const publicPath of staticOption.publicPath) {
           if (staticOption.serveIndex) {
             middlewares.push({
               name: "serve-index",
@@ -2257,15 +2496,14 @@ class Server {
               },
             });
           }
-        });
-      });
+        }
+      }
     }
 
     // Register this middleware always as the last one so that it's only used as a
     // fallback when no other middleware responses.
     middlewares.push({
       name: "options-middleware",
-      path: "*",
       /**
        * @param {Request} req
        * @param {Response} res
@@ -2287,37 +2525,93 @@ class Server {
       middlewares = this.options.setupMiddlewares(middlewares, this);
     }
 
-    middlewares.forEach((middleware) => {
+    // Lazy init webpack dev middleware
+    const lazyInitDevMiddleware = () => {
+      if (!this.middleware) {
+        const webpackDevMiddleware = require("webpack-dev-middleware");
+
+        // middleware for serving webpack bundle
+        /** @type {import("webpack-dev-middleware").API<Request, Response>} */
+        this.middleware = webpackDevMiddleware(
+          this.compiler,
+          this.options.devMiddleware,
+        );
+      }
+
+      return this.middleware;
+    };
+
+    for (const i of middlewares) {
+      if (i.name === "webpack-dev-middleware") {
+        const item = /** @type {MiddlewareObject} */ (i);
+
+        if (typeof item.middleware === "undefined") {
+          item.middleware = lazyInitDevMiddleware();
+        }
+      }
+    }
+
+    for (const middleware of middlewares) {
       if (typeof middleware === "function") {
-        /** @type {import("express").Application} */
-        (this.app).use(middleware);
+        /** @type {A} */
+        (this.app).use(
+          /** @type {NextHandleFunction | HandleFunction} */
+          (middleware),
+        );
       } else if (typeof middleware.path !== "undefined") {
-        /** @type {import("express").Application} */
-        (this.app).use(middleware.path, middleware.middleware);
+        /** @type {A} */
+        (this.app).use(
+          middleware.path,
+          /** @type {SimpleHandleFunction | NextHandleFunction} */
+          (middleware.middleware),
+        );
       } else {
-        /** @type {import("express").Application} */
-        (this.app).use(middleware.middleware);
+        /** @type {A} */
+        (this.app).use(
+          /** @type {NextHandleFunction | HandleFunction} */
+          (middleware.middleware),
+        );
       }
-    });
+    }
   }
 
   /**
    * @private
-   * @returns {void}
+   * @returns {Promise<void>}
    */
-  createServer() {
-    const { type, options } = /** @type {ServerConfiguration} */ (
-      this.options.server
-    );
+  async createServer() {
+    const { type, options } =
+      /** @type {ServerConfiguration<A, S>} */
+      (this.options.server);
+
+    if (typeof type === "function") {
+      /** @type {S | undefined}*/
+      this.server = await type(
+        /** @type {ServerOptions} */
+        (options),
+        /** @type {A} */
+        (this.app),
+      );
+    } else {
+      // eslint-disable-next-line import/no-dynamic-require
+      const serverType = require(/** @type {string} */ (type));
 
-    /** @type {import("http").Server | undefined | null} */
-    // eslint-disable-next-line import/no-dynamic-require
-    this.server = require(/** @type {string} */ (type)).createServer(
-      options,
-      this.app,
-    );
+      /** @type {S | undefined}*/
+      this.server =
+        type === "http2"
+          ? serverType.createSecureServer(
+              { ...options, allowHTTP1: true },
+              this.app,
+            )
+          : serverType.createServer(options, this.app);
+    }
 
-    /** @type {import("http").Server} */
+    this.isTlsServer =
+      typeof (
+        /** @type {import("tls").Server} */ (this.server).setSecureContext
+      ) !== "undefined";
+
+    /** @type {S} */
     (this.server).on(
       "connection",
       /**
@@ -2334,7 +2628,7 @@ class Server {
       },
     );
 
-    /** @type {import("http").Server} */
+    /** @type {S} */
     (this.server).on(
       "error",
       /**
@@ -2352,9 +2646,8 @@ class Server {
    */
   createWebSocketServer() {
     /** @type {WebSocketServerImplementation | undefined | null} */
-    this.webSocketServer = new /** @type {any} */ (this.getServerTransport())(
-      this,
-    );
+    this.webSocketServer = new (this.getServerTransport())(this);
+
     /** @type {WebSocketServerImplementation} */
     (this.webSocketServer).implementation.on(
       "connection",
@@ -2384,8 +2677,9 @@ class Server {
 
         if (
           !headers ||
-          !this.checkHeader(headers, "host") ||
-          !this.checkHeader(headers, "origin")
+          !this.isValidHost(headers, "host") ||
+          !this.isValidHost(headers, "origin") ||
+          !this.isSameOrigin(headers)
         ) {
           this.sendMessage([client], "error", "Invalid Host/Origin header");
 
@@ -2419,7 +2713,8 @@ class Server {
 
         if (
           this.options.client &&
-          /** @type {ClientConfiguration} */ (this.options.client).reconnect
+          /** @type {ClientConfiguration} */
+          (this.options.client).reconnect
         ) {
           this.sendMessage(
             [client],
@@ -2434,9 +2729,9 @@ class Server {
           /** @type {ClientConfiguration} */
           (this.options.client).overlay
         ) {
-          const overlayConfig = /** @type {ClientConfiguration} */ (
-            this.options.client
-          ).overlay;
+          const overlayConfig =
+            /** @type {ClientConfiguration} */
+            (this.options.client).overlay;
 
           this.sendMessage(
             [client],
@@ -2521,22 +2816,19 @@ class Server {
    */
   runBonjour() {
     const { Bonjour } = require("bonjour-service");
+    const type = this.isTlsServer ? "https" : "http";
+
     /**
      * @private
      * @type {Bonjour | undefined}
      */
     this.bonjour = new Bonjour();
     this.bonjour.publish({
-      // @ts-expect-error
       name: `Webpack Dev Server ${os.hostname()}:${this.options.port}`,
-      // @ts-expect-error
       port: /** @type {number} */ (this.options.port),
-      // @ts-expect-error
-      type:
-        /** @type {ServerConfiguration} */
-        (this.options.server).type === "http" ? "http" : "https",
+      type,
       subtypes: ["webpack"],
-      .../** @type {BonjourOptions} */ (this.options.bonjour),
+      .../** @type {Partial<BonjourOptions>} */ (this.options.bonjour),
     });
   }
 
@@ -2616,23 +2908,15 @@ class Server {
     };
     const useColor = getColorsOption(this.getCompilerOptions());
 
+    const server = /** @type {S} */ (this.server);
+
     if (this.options.ipc) {
-      this.logger.info(
-        `Project is running at: "${
-          /** @type {import("http").Server} */
-          (this.server).address()
-        }"`,
-      );
+      this.logger.info(`Project is running at: "${server.address()}"`);
     } else {
-      const protocol =
-        /** @type {ServerConfiguration} */
-        (this.options.server).type === "http" ? "http" : "https";
+      const protocol = this.isTlsServer ? "https" : "http";
       const { address, port } =
         /** @type {import("net").AddressInfo} */
-        (
-          /** @type {import("http").Server} */
-          (this.server).address()
-        );
+        (server.address());
       /**
        * @param {string} newHostname
        * @returns {string}
@@ -2640,7 +2924,7 @@ class Server {
       const prettyPrintURL = (newHostname) =>
         url.format({ protocol, hostname: newHostname, port, pathname: "/" });
 
-      let server;
+      let host;
       let localhost;
       let loopbackIPv4;
       let loopbackIPv6;
@@ -2660,7 +2944,7 @@ class Server {
           }
 
           if (!isIP) {
-            server = prettyPrintURL(this.options.host);
+            host = prettyPrintURL(this.options.host);
           }
         }
       }
@@ -2669,14 +2953,15 @@ class Server {
 
       if (parsedIP.range() === "unspecified") {
         localhost = prettyPrintURL("localhost");
+        loopbackIPv6 = prettyPrintURL("::1");
 
-        const networkIPv4 = await Server.internalIP("v4");
+        const networkIPv4 = Server.findIp("v4", false);
 
         if (networkIPv4) {
           networkUrlIPv4 = prettyPrintURL(networkIPv4);
         }
 
-        const networkIPv6 = await Server.internalIP("v6");
+        const networkIPv6 = Server.findIp("v6", false);
 
         if (networkIPv6) {
           networkUrlIPv6 = prettyPrintURL(networkIPv6);
@@ -2705,8 +2990,8 @@ class Server {
 
       this.logger.info("Project is running at:");
 
-      if (server) {
-        this.logger.info(`Server: ${colors.info(useColor, server)}`);
+      if (host) {
+        this.logger.info(`Server: ${colors.info(useColor, host)}`);
       }
 
       if (localhost || loopbackIPv4 || loopbackIPv6) {
@@ -2778,11 +3063,7 @@ class Server {
     if (this.options.bonjour) {
       const bonjourProtocol =
         /** @type {BonjourOptions} */
-        (this.options.bonjour).type ||
-        /** @type {ServerConfiguration} */
-        (this.options.server).type === "http"
-          ? "http"
-          : "https";
+        (this.options.bonjour).type || this.isTlsServer ? "https" : "http";
 
       this.logger.info(
         `Broadcasting "${bonjourProtocol}" with subtype of "webpack" via ZeroConf DNS (Bonjour)`,
@@ -2804,8 +3085,8 @@ class Server {
         headers = headers(
           req,
           res,
-          /** @type {import("webpack-dev-middleware").API<IncomingMessage, ServerResponse>}*/
-          (this.middleware).context,
+          // eslint-disable-next-line no-undefined
+          this.middleware ? this.middleware.context : undefined,
         );
       }
 
@@ -2824,14 +3105,9 @@ class Server {
         headers = allHeaders;
       }
 
-      headers.forEach(
-        /**
-         * @param {{key: string, value: any}} header
-         */
-        (header) => {
-          res.setHeader(header.key, header.value);
-        },
-      );
+      for (const { key, value } of headers) {
+        res.setHeader(key, value);
+      }
     }
 
     next();
@@ -2839,100 +3115,176 @@ class Server {
 
   /**
    * @private
-   * @param {{ [key: string]: string | undefined }} headers
-   * @param {string} headerToCheck
+   * @param {string} value
    * @returns {boolean}
    */
-  checkHeader(headers, headerToCheck) {
+  isHostAllowed(value) {
+    const { allowedHosts } = this.options;
+
     // allow user to opt out of this security check, at their own risk
     // by explicitly enabling allowedHosts
+    if (allowedHosts === "all") {
+      return true;
+    }
+
+    // always allow localhost host, for convenience
+    // allow if value is in allowedHosts
+    if (Array.isArray(allowedHosts) && allowedHosts.length > 0) {
+      for (const allowedHost of allowedHosts) {
+        if (allowedHost === value) {
+          return true;
+        }
+
+        // support "." as a subdomain wildcard
+        // e.g. ".example.com" will allow "example.com", "www.example.com", "subdomain.example.com", etc
+        if (allowedHost.startsWith(".")) {
+          // "example.com"  (value === allowedHost.substring(1))
+          // "*.example.com"  (value.endsWith(allowedHost))
+          if (
+            value === allowedHost.substring(1) ||
+            /** @type {string} */
+            (value).endsWith(allowedHost)
+          ) {
+            return true;
+          }
+        }
+      }
+    }
+
+    // Also allow if `client.webSocketURL.hostname` provided
+    if (
+      this.options.client &&
+      typeof (
+        /** @type {ClientConfiguration} */
+        (this.options.client).webSocketURL
+      ) !== "undefined"
+    ) {
+      return (
+        /** @type {WebSocketURL} */
+        (/** @type {ClientConfiguration} */ (this.options.client).webSocketURL)
+          .hostname === value
+      );
+    }
+
+    return false;
+  }
+
+  /**
+   * @private
+   * @param {{ [key: string]: string | undefined }} headers
+   * @param {string} headerToCheck
+   * @param {boolean} validateHost
+   * @returns {boolean}
+   */
+  isValidHost(headers, headerToCheck, validateHost = true) {
     if (this.options.allowedHosts === "all") {
       return true;
     }
 
     // get the Host header and extract hostname
     // we don't care about port not matching
-    const hostHeader = headers[headerToCheck];
+    const header = headers[headerToCheck];
 
-    if (!hostHeader) {
+    if (!header) {
       return false;
     }
 
-    if (/^(file|.+-extension):/i.test(hostHeader)) {
+    if (DEFAULT_ALLOWED_PROTOCOLS.test(header)) {
       return true;
     }
 
     // use the node url-parser to retrieve the hostname from the host-header.
     const hostname = url.parse(
-      // if hostHeader doesn't have scheme, add // for parsing.
-      /^(.+:)?\/\//.test(hostHeader) ? hostHeader : `//${hostHeader}`,
+      // if header doesn't have scheme, add // for parsing.
+      /^(.+:)?\/\//.test(header) ? header : `//${header}`,
       false,
       true,
     ).hostname;
 
+    if (hostname === null) {
+      return false;
+    }
+
+    if (this.isHostAllowed(hostname)) {
+      return true;
+    }
+
     // always allow requests with explicit IPv4 or IPv6-address.
     // A note on IPv6 addresses:
-    // hostHeader will always contain the brackets denoting
+    // header will always contain the brackets denoting
     // an IPv6-address in URLs,
     // these are removed from the hostname in url.parse(),
     // so we have the pure IPv6-address in hostname.
     // For convenience, always allow localhost (hostname === 'localhost')
     // and its subdomains (hostname.endsWith(".localhost")).
     // allow hostname of listening address  (hostname === this.options.host)
-    const isValidHostname =
-      (hostname !== null && ipaddr.IPv4.isValid(hostname)) ||
-      (hostname !== null && ipaddr.IPv6.isValid(hostname)) ||
-      hostname === "localhost" ||
-      (hostname !== null && hostname.endsWith(".localhost")) ||
-      hostname === this.options.host;
-
-    if (isValidHostname) {
+    const isValidHostname = validateHost
+      ? ipaddr.IPv4.isValid(hostname) ||
+        ipaddr.IPv6.isValid(hostname) ||
+        hostname === "localhost" ||
+        hostname.endsWith(".localhost") ||
+        hostname === this.options.host
+      : false;
+
+    return isValidHostname;
+  }
+
+  /**
+   * @private
+   * @param {{ [key: string]: string | undefined }} headers
+   * @returns {boolean}
+   */
+  isSameOrigin(headers) {
+    if (this.options.allowedHosts === "all") {
       return true;
     }
 
-    const { allowedHosts } = this.options;
+    const originHeader = headers.origin;
 
-    // always allow localhost host, for convenience
-    // allow if hostname is in allowedHosts
-    if (Array.isArray(allowedHosts) && allowedHosts.length > 0) {
-      for (let hostIdx = 0; hostIdx < allowedHosts.length; hostIdx++) {
-        const allowedHost = allowedHosts[hostIdx];
+    if (!originHeader) {
+      return this.options.allowedHosts === "all";
+    }
 
-        if (allowedHost === hostname) {
-          return true;
-        }
+    if (DEFAULT_ALLOWED_PROTOCOLS.test(originHeader)) {
+      return true;
+    }
 
-        // support "." as a subdomain wildcard
-        // e.g. ".example.com" will allow "example.com", "www.example.com", "subdomain.example.com", etc
-        if (allowedHost[0] === ".") {
-          // "example.com"  (hostname === allowedHost.substring(1))
-          // "*.example.com"  (hostname.endsWith(allowedHost))
-          if (
-            hostname === allowedHost.substring(1) ||
-            /** @type {string} */ (hostname).endsWith(allowedHost)
-          ) {
-            return true;
-          }
-        }
-      }
+    const origin = url.parse(originHeader, false, true).hostname;
+
+    if (origin === null) {
+      return false;
     }
 
-    // Also allow if `client.webSocketURL.hostname` provided
-    if (
-      this.options.client &&
-      typeof (
-        /** @type {ClientConfiguration} */ (this.options.client).webSocketURL
-      ) !== "undefined"
-    ) {
-      return (
-        /** @type {WebSocketURL} */
-        (/** @type {ClientConfiguration} */ (this.options.client).webSocketURL)
-          .hostname === hostname
-      );
+    if (this.isHostAllowed(origin)) {
+      return true;
     }
 
-    // disallow
-    return false;
+    const hostHeader = headers.host;
+
+    if (!hostHeader) {
+      return this.options.allowedHosts === "all";
+    }
+
+    if (DEFAULT_ALLOWED_PROTOCOLS.test(hostHeader)) {
+      return true;
+    }
+
+    const host = url.parse(
+      // if hostHeader doesn't have scheme, add // for parsing.
+      /^(.+:)?\/\//.test(hostHeader) ? hostHeader : `//${hostHeader}`,
+      false,
+      true,
+    ).hostname;
+
+    if (host === null) {
+      return false;
+    }
+
+    if (this.isHostAllowed(host)) {
+      return true;
+    }
+
+    return origin === host;
   }
 
   /**
@@ -3104,7 +3456,7 @@ class Server {
 
     await /** @type {Promise<void>} */ (
       new Promise((resolve) => {
-        /** @type {import("http").Server} */
+        /** @type {S} */
         (this.server).listen(listenOptions, () => {
           resolve();
         });
@@ -3190,10 +3542,10 @@ class Server {
     if (this.server) {
       await /** @type {Promise<void>} */ (
         new Promise((resolve) => {
-          /** @type {import("http").Server} */
+          /** @type {S} */
           (this.server).close(() => {
-            this.server = null;
-
+            // eslint-disable-next-line no-undefined
+            this.server = undefined;
             resolve();
           });
 
@@ -3212,7 +3564,6 @@ class Server {
             (this.middleware).close((error) => {
               if (error) {
                 reject(error);
-
                 return;
               }
 
@@ -3221,7 +3572,8 @@ class Server {
           })
         );
 
-        this.middleware = null;
+        // eslint-disable-next-line no-undefined
+        this.middleware = undefined;
       }
     }