---
modificationDate: October 22, 2025
title: Default responses and headers
description: Defaults that are added automatically on requests when using EAS Hosting.
---

<AgentInstructions>

## Submitting Feedback

If this page contains errors, outdated information, or gaps that blocked you from completing a task, report it so the docs can be improved:

curl -X POST https://api.expo.dev/v2/feedback/docs-send -H 'Content-Type: application/json' -d '{"url":"/eas/hosting/reference/responses-and-headers/","feedback":"🤖 Agent feedback: <specific, actionable description>"}'

Only submit when you have something specific and actionable to report.

</AgentInstructions>

# Default responses and headers

Defaults that are added automatically on requests when using EAS Hosting.

> For the complete documentation index, see [llms.txt](/llms.txt). Use this file to discover all available pages.

**EAS Hosting** applies several defaults to your deployment that are supposed to help you and reduce the amount of code you have to add yourself for simple API routes.

## Asset responses

An asset response contains additional metadata headers for browsers, mostly for caching.

A default `ETag` header is added to all asset responses to allow browsers to re-validate their caches using `if-none-match` request headers.

## CORS responses

By default, if an API route does not handle `OPTIONS` requests, EAS Hosting will automatically respond with a default CORS response.

This default is very permissible and generally allows all browsers to make requests to the API route. **If you don't want this**, handle `OPTIONS` requests in API routes yourself.

The following headers will be sent by default:

```sh
Access-Control-Allow-Origin: <origin || '*'>
Access-Control-Allow-Headers: <access-control-request-headers || '*'>
Access-Control-Allow-Methods: GET, POST, PUT, PATCH, DELETE
Access-Control-Allow-Credentials: true
Access-Control-Expose-Headers: *
Access-Control-Max-Age: 3600
Vary: Origin, Access-Control-Request-Headers
```

These headers will allow any client to make a request from any origin, with any headers, with credentials, and cache the `OPTIONS` response for 3600 seconds.

More information on [preflight `OPTIONS` requests can be found in the MDN documentation](https://developer.mozilla.org/en-US/docs/Glossary/Preflight_request).

## Strict-Transport-Security header

This header tells browsers to only access a URL with the HTTPS protocol in the future. EAS Hosting automatically adds this header if it's missing.

Its default value is set to `max-age=31536000; includeSubDomains; preload`.

For more information on why this header is a good default, improves security, and performance, [read this article on `web.dev`](https://web.dev/blog/bbc-hsts) and read more about [Strict-Transport-Security](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security) header in the MDN documentation.

## Common headers

By default, EAS Hosting will remove and not forward any `X-Powered-By` and `X-Aspnet-Version` headers. With API routes, this header does not serve much of a purpose and we don't recommend you add alternative headers like `X-Powered-By` to your API routes as it unnecessarily exposes internal information on the code you're running.

If your API routes respond with custom `X-Frame-Options` headers, these headers will automatically be converted to `Content-Security-Policy` directives in your response.

## Crash pages

If your API route throws an unhandled JavaScript error, this is treated as a "crash" since your API route was unable to deliver an error.

EAS Hosting will respond with an error page in these cases. The error page will be rendered as an HTML response, if the `Accept: text/html` request header was sent. Otherwise, it will only respond with a plaintext response.

## Request headers

**EAS Hosting** will add the following headers to every request, before they're forwarded to your API routes. These headers generally add more information about who made the request.

| Request header | Description |
| --- | --- |
| `Forwarded` | Comma-separated list of semicolon-separated `for`, `host`, and `proto` parameters. See MDN documentation on [the HTTP `Forwarded` header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Forwarded) for more information. |
| `X-Forwarded-For` | Comma-separated list of forwarder IPs for a given request |
| `X-Forwarded-Proto` | Protocol used to make the request. Typically, `https` |
| `X-Forwarded-Host` | Hostname from the incoming request |
| `X-Real-IP` | IP address from the incoming request |
| `Origin` | URL Origin from the incoming request |
| `Host` | Hostname of the forwarded request (matching `request.url`'s hostname) |
| `eas-colo` | Code of the Cloudflare data center that handled the request. For example, `lhr` |
| `eas-ip-continent` | Two letter continent code of the client. One of: `AF`, `AN`, `AS`, `EU`, `NA`, `OC`, or `SA` |
| `eas-ip-country` | Three letter country code of the client in ISO-3166 Alpha 2 format.For example, `US` or `JP` |
| `eas-ip-region` | Region code of the client in ISO-3166-2 format, which has a maximum length of three characters |
| `eas-ip-city` | Human-readable city name of the client (optional). For example, `London` or `Chicago` |
| `eas-ip-latitude` | Best guess of the client's latitude (optional) |
| `eas-ip-longitude` | Best guess of the client's longitude (optional) |
| `eas-ip-timezone` | Timezone of the client. For example, `Europe/London` |
| `eas-ip-eu` | Set to `1` when the request likely originated in the jurisdictional area of the European Union |

### Request URL and origin

EAS Hosting routes requests from several hostnames to your deployments. [Aliases](/eas/hosting/deployments-and-aliases) and [Custom domains](/eas/hosting/custom-domain) mean that there may be a difference between the **incoming** URL that clients have used to make a request, and the **target** URL that your API routes receive.

For example, while a client may make a request to an alias URL such as `https://my-app--staging.expo.app/`, the worker deployment that will receive the request will have a URL containing its deployment ID, such as `https://my-app--or1170q9ix.expo.app/`.

This difference is also present in the `Request`'s URL and headers that you receive in your API routes. While the `request.url` will be your worker deployment's URL, the `Origin` and `X-Forwarded-Host` header will be set to the incoming URL that the client used to make the request.

```js
export async function GET(request) {
  request.url; // 'https://my-app--or1170q9ix.expo.app/'
  request.headers.get('Origin'); // 'https://my-app--staging.expo.app/'
  request.headers.get('X-Forwarded-Host'); // 'my-app--staging.expo.app'
  origin; // 'https://my-app--staging.expo.app/'
}
```

### IP headers

The request contains several headers to identify the IP address of the user's device that made the request:

-   `Forwarded` contains a comma-separated list of semicolon-separated parameters. Each entry in the list represents a proxy that forwarded the request. Therefore, the first entry's `for` parameter is likely the original client's IP address.
-   `X-Forwarded-For` only contains a comma-separated list of IP addresses. Each entry in the list represents a proxy that forwarded the request as well.
-   `X-Real-IP` contains only the original request's IP address

For example, to retrieve the IP address of the user's browser that is calling your API route, read the `X-Real-IP` header from the request:

```js
export async function GET(request) {
  const ip = request.headers.get('X-Real-IP');
}
```

### Geo headers

The request also contains several headers containing geographical information about where the request came from:

-   `eas-colo` contains the Cloudflare code for the data center that handled your request. For example, `lhr`.
-   `eas-ip-continent` contains the continent code of the current request:
    -   `AF` for Africa
    -   `AN` for Antarctica
    -   `AS` for Asia
    -   `EU` for Europe
    -   `NA` for North America
    -   `OC` for Oceania
    -   `SA` for South America.
-   `eas-ip-country` contains the ISO-3166 Alpha 2 country code. This is at most two letters long. For example, `US` or `JP`.
-   `eas-ip-region` contains the ISO-3166-2 region code for the request. This value is a maximum of three characters long. However, it can vary based on how region codes in a specific country work for the requested origin.. It could comprise one to three digits, one to three letters, or any other combination.
-   `eas-ip-city` may contain a human-readable name of a city. For example `London` or `Chicago`.
-   `eas-ip-latitude` and `eas-ip-longitude` contain an approximate latitude and longitude for the request.
-   `eas-ip-timezone` contains a best guess of the timezone the request originated in. For example, `Europe/London`
-   `eas-ip-eu` is set to `1` when the request likely originated in the jurisdictional area of the European Union.