Default responses and headers

Edit this page

Defaults that are added automatically on requests when using EAS Hosting.


EAS Hosting applies several defaults to your deployment that are supposed to help you and reduce the amount of code you have to add yourself for simple API routes.

Asset responses

An asset response contains additional metadata headers for browsers, mostly for caching.

A default ETag header is added to all asset responses to allow browsers to re-validate their caches using if-none-match request headers.

CORS responses

By default, if an API route does not handle OPTIONS requests, EAS Hosting will automatically respond with a default CORS response.

This default is very permissible and generally allows all browsers to make requests to the API route. If you don't want this, handle OPTIONS requests in API routes yourself.

The following headers will be sent by default:

Access-Control-Allow-Origin: <origin || '*'>
Access-Control-Allow-Headers: <access-control-request-headers || '*'>
Access-Control-Allow-Methods: GET, POST, PUT, PATCH, DELETE
Access-Control-Allow-Credentials: true
Access-Control-Expose-Headers: *
Access-Control-Max-Age: 3600
Vary: Origin, Access-Control-Request-Headers

These headers will allow any client to make a request from any origin, with any headers, with credentials, and cache the OPTIONS response for 3600 seconds.

More information on preflight OPTIONS requests can be found in the MDN documentation.

Strict-Transport-Security header

This header tells browsers to only access a URL with the HTTPS protocol in the future. EAS Hosting automatically adds this header if it's missing.

Its default value is set to max-age=31536000; includeSubDomains; preload.

For more information on why this header is a good default, improves security, and performance, read this article on web.dev and read more about Strict-Transport-Security header in the MDN documentation.

Common version headers

By default, EAS Hosting will remove and not forward any X-Powered-By and X-Aspnet-Version headers. With API routes, this header does not serve much of a purpose and we don't recommend you add alternative headers like X-Powered-By to your API routes as it unnecessarily exposes internal information on the code you're running.

Frame Content-Security Policy (CSP)

By default, browsers allow any webpage to render in an iframe. Unfortunately, this allows phishing attacks such as clickjacking which is used by malicious actors to overlay a page with their own controls and inputs, to steal credentials or coerce users to perform certain actions.

To prevent this, EAS Hosting adds a frame-ancestors 'self' directive by default, telling browsers to not embed EAS Hosting in iframes on other domains that you don't control.

This is equivalent to setting the (older) X-Frame-Options header to SAMEORIGIN.This default directive is only applied to responses with text/html content types, so it will only be applied to HTML pages.

If your API routes respond with custom X-Frame-Options headers, these headers will automatically be converted to Content-Security-Policy directives in your response.

Crash pages

If your API route throws an unhandled JavaScript error, this is treated as a "crash" since your API route was unable to deliver an error.

EAS Hosting will respond with an error page in these cases. The error page will be rendered as an HTML response, if the Accept: text/html request header was sent. Otherwise, it will only respond with a plaintext response.

Request headers

EAS Hosting will add the following headers to every request, before they're forwarded to your API routes. These headers generally add more information about who made the request.

Request headerDescription
ForwardedComma-separated list of semicolon-separated for, host, and proto parameters.
See MDN documentation on the HTTP Forwarded header for more information.
X-Forwarded-ForComma-separated list of forwarder IPs for a given request
X-Forwarded-ProtoProtocol used to make the request. Typically, https
X-Forwarded-HostHostname from the incoming request
X-Real-IPIP address from the incoming request
OriginURL Origin from the incoming request
HostHostname of the forwarded request (matching request.url's hostname)
eas-coloCode of the Cloudflare data center that handled the request. For example, lhr
eas-ip-continentTwo letter continent code of the client.
One of: AF, AN, AS, EU, NA, OC, or SA
eas-ip-countryThree letter country code of the client in ISO-3166 Alpha 2 format.
For example, US or JP
eas-ip-regionRegion code of the client in ISO-3166-2 format, which has a maximum length of three characters
eas-ip-cityHuman-readable city name of the client (optional). For example, London or Chicago
eas-ip-latitudeBest guess of the client's latitude (optional)
eas-ip-longitudeBest guess of the client's longitude (optional)
eas-ip-timezoneTimezone of the client. For example, Europe/London
eas-ip-euSet to 1 when the request likely originated in the jurisdictional area of the European Union

Request URL and origin

EAS Hosting routes requests from several hostnames to your deployments. Aliases and Custom domains mean that there may be a difference between the incoming URL that clients have used to make a request, and the target URL that your API routes receive.

For example, while a client may make a request to an alias URL such as https://my-app--staging.expo.app/, the worker deployment that will receive the request will have a URL containing its deployment ID, such as https://my-app--or1170q9ix.expo.app/.

This difference is also present in the Request's URL and headers that you receive in your API routes. While the request.url will be your worker deployment's URL, the Origin and X-Forwarded-Host header will be set to the incoming URL that the client used to make the request.

export async function GET(request) {
  request.url; // 'https://my-app--or1170q9ix.expo.app/'
  request.headers.get('Origin'); // 'https://my-app--staging.expo.app/'
  request.headers.get('X-Forwarded-Host'); // 'my-app--staging.expo.app'
  origin; // 'https://my-app--staging.expo.app/'
}

IP headers

The request contains several headers to identify the IP address of the user's device that made the request:

  • Forwarded contains a comma-separated list of semicolon-separated parameters. Each entry in the list represents a proxy that forwarded the request. Therefore, the first entry's for parameter is likely the original client's IP address.
  • X-Forwarded-For only contains a comma-separated list of IP addresses. Each entry in the list represents a proxy that forwarded the request as well.
  • X-Real-IP contains only the original request's IP address

For example, to retrieve the IP address of the user's browser that is calling your API route, read the X-Real-IP header from the request:

export async function GET(request) {
  const ip = request.headers.get('X-Real-IP');
}

Geo headers

The request also contains several headers containing geographical information about where the request came from:

  • eas-colo contains the Cloudflare code for the data center that handled your request. For example, lhr.
  • eas-ip-continent contains the continent code of the current request:
    • AF for Africa
    • AN for Antarctica
    • AS for Asia
    • EU for Europe
    • NA for North America
    • OC for Oceania
    • SA for South America.
  • eas-ip-country contains the ISO-3166 Alpha 2 country code. This is at most two letters long. For example, US or JP.
  • eas-ip-region contains the ISO-3166-2 region code for the request. This value is a maximum of three characters long. However, it can vary based on how region codes in a specific country work for the requested origin.. It could comprise one to three digits, one to three letters, or any other combination.
  • eas-ip-city may contain a human-readable name of a city. For example London or Chicago.
  • eas-ip-latitude and eas-ip-longitude contain an approximate latitude and longitude for the request.
  • eas-ip-timezone contains a best guess of the timezone the request originated in. For example, Europe/London
  • eas-ip-eu is set to 1 when the request likely originated in the jurisdictional area of the European Union.