Default responses and headers
Edit this page
Defaults that are added automatically on requests when using EAS Hosting.
EAS Hosting applies several defaults to your deployment that are supposed to help you and reduce the amount of code you have to add yourself for simple API routes.
Asset responses
An asset response contains additional metadata headers for browsers, mostly for caching.
A default ETag header is added to all asset responses to allow browsers to re-validate their caches using if-none-match request headers.
CORS responses
By default, if an API route does not handle OPTIONS requests, EAS Hosting will automatically respond with a default CORS response.
This default is very permissible and generally allows all browsers to make requests to the API route. If you don't want this, handle OPTIONS requests in API routes yourself.
The following headers will be sent by default:
Access-Control-Allow-Origin: <origin || '*'>
Access-Control-Allow-Headers: <access-control-request-headers || '*'>
Access-Control-Allow-Methods: GET, POST, PUT, PATCH, DELETE
Access-Control-Allow-Credentials: true
Access-Control-Expose-Headers: *
Access-Control-Max-Age: 3600
Vary: Origin, Access-Control-Request-Headers
These headers will allow any client to make a request from any origin, with any headers, with credentials, and cache the OPTIONS response for 3600 seconds.
More information on preflight OPTIONS requests can be found in the MDN documentation.
Strict-Transport-Security header
This header tells browsers to only access a URL with the HTTPS protocol in the future. EAS Hosting automatically adds this header if it's missing.
Its default value is set to max-age=31536000; includeSubDomains; preload.
For more information on why this header is a good default, improves security, and performance, read this article on web.dev and read more about Strict-Transport-Security header in the MDN documentation.
Common version headers
By default, EAS Hosting will remove and not forward any X-Powered-By and X-Aspnet-Version headers. With API routes, this header does not serve much of a purpose and we don't recommend you add alternative headers like X-Powered-By to your API routes as it unnecessarily exposes internal information on the code you're running.
Frame Content-Security Policy (CSP)
By default, browsers allow any webpage to render in an iframe. Unfortunately, this allows phishing attacks such as clickjacking which is used by malicious actors to overlay a page with their own controls and inputs, to steal credentials or coerce users to perform certain actions.
To prevent this, EAS Hosting adds a frame-ancestors 'self' directive by default, telling browsers to not embed EAS Hosting in iframes on other domains that you don't control.
This is equivalent to setting the (older) X-Frame-Options header to SAMEORIGIN.This default directive is only applied to responses with text/html content types, so it will only be applied to HTML pages.
If your API routes respond with custom X-Frame-Options headers, these headers will automatically be converted to Content-Security-Policy directives in your response.
Crash pages
If your API route throws an unhandled JavaScript error, this is treated as a "crash" since your API route was unable to deliver an error.
EAS Hosting will respond with an error page in these cases. The error page will be rendered as an HTML response, if the Accept: text/html request header was sent. Otherwise, it will only respond with a plaintext response.
Request headers
EAS Hosting will add the following headers to every request, before they're forwarded to your API routes. These headers generally add more information about who made the request.
| Request header | Description |
|---|---|
Forwarded | Comma-separated list of semicolon-separated for, host, and proto parameters.See MDN documentation on the HTTP Forwarded header for more information. |
X-Forwarded-For | Comma-separated list of forwarder IPs for a given request |
X-Forwarded-Proto | Protocol used to make the request. Typically, https |
X-Forwarded-Host | Hostname from the incoming request |
X-Real-IP | IP address from the incoming request |
Origin | URL Origin from the incoming request |
Host | Hostname of the forwarded request (matching request.url's hostname) |
eas-colo | Code of the Cloudflare data center that handled the request. For example, lhr |
eas-ip-continent | Two letter continent code of the client. One of: AF, AN, AS, EU, NA, OC, or SA |
eas-ip-country | Three letter country code of the client in ISO-3166 Alpha 2 format. For example, US or JP |
eas-ip-region | Region code of the client in ISO-3166-2 format, which has a maximum length of three characters |
eas-ip-city | Human-readable city name of the client (optional). For example, London or Chicago |
eas-ip-latitude | Best guess of the client's latitude (optional) |
eas-ip-longitude | Best guess of the client's longitude (optional) |
eas-ip-timezone | Timezone of the client. For example, Europe/London |
eas-ip-eu | Set to 1 when the request likely originated in the jurisdictional area of the European Union |
Request URL and origin
EAS Hosting routes requests from several hostnames to your deployments. Aliases and Custom domains mean that there may be a difference between the incoming URL that clients have used to make a request, and the target URL that your API routes receive.
For example, while a client may make a request to an alias URL such as https://my-app--staging.expo.app/, the worker deployment that will receive the request will have a URL containing its deployment ID, such as https://my-app--or1170q9ix.expo.app/.
This difference is also present in the Request's URL and headers that you receive in your API routes. While the request.url will be your worker deployment's URL, the Origin and X-Forwarded-Host header will be set to the incoming URL that the client used to make the request.
export async function GET(request) {
request.url; // 'https://my-app--or1170q9ix.expo.app/'
request.headers.get('Origin'); // 'https://my-app--staging.expo.app/'
request.headers.get('X-Forwarded-Host'); // 'my-app--staging.expo.app'
origin; // 'https://my-app--staging.expo.app/'
}
IP headers
The request contains several headers to identify the IP address of the user's device that made the request:
Forwardedcontains a comma-separated list of semicolon-separated parameters. Each entry in the list represents a proxy that forwarded the request. Therefore, the first entry'sforparameter is likely the original client's IP address.X-Forwarded-Foronly contains a comma-separated list of IP addresses. Each entry in the list represents a proxy that forwarded the request as well.X-Real-IPcontains only the original request's IP address
For example, to retrieve the IP address of the user's browser that is calling your API route, read the X-Real-IP header from the request:
export async function GET(request) {
const ip = request.headers.get('X-Real-IP');
}
Geo headers
The request also contains several headers containing geographical information about where the request came from:
eas-colocontains the Cloudflare code for the data center that handled your request. For example,lhr.eas-ip-continentcontains the continent code of the current request:AFfor AfricaANfor AntarcticaASfor AsiaEUfor EuropeNAfor North AmericaOCfor OceaniaSAfor South America.
eas-ip-countrycontains the ISO-3166 Alpha 2 country code. This is at most two letters long. For example,USorJP.eas-ip-regioncontains the ISO-3166-2 region code for the request. This value is a maximum of three characters long. However, it can vary based on how region codes in a specific country work for the requested origin.. It could comprise one to three digits, one to three letters, or any other combination.eas-ip-citymay contain a human-readable name of a city. For exampleLondonorChicago.eas-ip-latitudeandeas-ip-longitudecontain an approximate latitude and longitude for the request.eas-ip-timezonecontains a best guess of the timezone the request originated in. For example,Europe/Londoneas-ip-euis set to1when the request likely originated in the jurisdictional area of the European Union.