Backport security fix from v5.2.1 to version-4 (non-Chromium browser dev-server vulnerability)

[Wajih-Ul-Hasan]

Summary

Backported the security patch from v5.2.1 to the version-4 branch to prevent dev client injection into unauthorized or potentially malicious browsers via the /webpack-dev-server route.

What This Fixes

• Prevents exposure of dev asset listings and client scripts to untrusted sources
• Implements a header-based access control mechanism instead of relying on insecure User-Agent detection

Context

Relevant to: #5313
Inspired by: #5315 (official v5.2.1 patch)

Since [email protected] depends on [email protected], and upgrading to v5 is not always viable for projects in production, this patch brings essential security hardening to the v4 codebase.

Implementation Details

• Introduced isTrustedClient() helper to verify presence of webpack-dev-server-client header
• /webpack-dev-server route now denies access (403) if the required header is missing
• Patch mirrors the core logic used in v5.2.1, but adapted to v4’s Express-based routing
• Clean, isolated backport to avoid impact on unrelated parts of the server

---

Thanks for considering this backport 🙏
Happy to adjust based on any review feedback.

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: Wajih-Ul-Hasan / name: Wajih-Ul-Hasan (c0c647f, 0a08b4b)

[Wajih-Ul-Hasan]

Hi @alexander-akait — tagging you as discussed in Issue #5313. This PR backports the dev-server security fix for non-Chromium browsers to the version-4 branch. Let me know if any changes are needed.

[alexander-akait]

Sorry, it is not a good fix, we can't apply security fix using userAgentHeader, it is unsafe and insecurity, we need to backport header logic

[Wajih-Ul-Hasan]

@alexander-akait If you have any better logic in your mind ,kindly share it with me. I will implement it.

[alexander-akait]

There is a start of work - #5514, just need to backport this logic from v5 to v4