中文网
🌐 Nodejs.cn
首页指南EAS参考教程

默认响应和标头

使用 EAS Hosting 时自动添加到请求中的默认值。

EAS 托管 对你的部署应用了一些默认设置,这些设置旨在帮助你,并减少你为简单 API 路由需要自己添加的代码量。

资源响应

🌐 Asset responses

资源响应包含用于浏览器的附加元数据标头,主要用于缓存。

🌐 An asset response contains additional metadata headers for browsers, mostly for caching.

默认的 ETag 头会被添加到所有资源响应中,以允许浏览器使用 if-none-match 请求头重新验证其缓存。

🌐 A default ETag header is added to all asset responses to allow browsers to re-validate their caches using if-none-match request headers.

CORS 响应

🌐 CORS responses

默认情况下,如果 API 路由不处理 OPTIONS 请求,EAS 托管将自动返回默认的 CORS 响应。

🌐 By default, if an API route does not handle OPTIONS requests, EAS Hosting will automatically respond with a default CORS response.

此默认设置非常宽松,通常允许所有浏览器向 API 路由发起请求。如果你不希望这样,请自行在 API 路由中处理 OPTIONS 请求。

🌐 This default is very permissible and generally allows all browsers to make requests to the API route. If you don't want this, handle OPTIONS requests in API routes yourself.

默认情况下将发送以下标头:

🌐 The following headers will be sent by default:

Access-Control-Allow-Origin: <origin || '*'>
Access-Control-Allow-Headers: <access-control-request-headers || '*'>
Access-Control-Allow-Methods: GET, POST, PUT, PATCH, DELETE
Access-Control-Allow-Credentials: true
Access-Control-Expose-Headers: *
Access-Control-Max-Age: 3600
Vary: Origin, Access-Control-Request-Headers

这些头将允许任何客户端从任何来源发起请求,使用任意头,携带凭证,并缓存 OPTIONS 响应 3600 秒。

🌐 These headers will allow any client to make a request from any origin, with any headers, with credentials, and cache the OPTIONS response for 3600 seconds.

有关 preflight OPTIONS 请求的更多信息,请参阅 MDN 文档

🌐 More information on preflight OPTIONS requests can be found in the MDN documentation.

Strict-Transport-Security 标头

🌐 Strict-Transport-Security header

此标头告知浏览器将来仅通过 HTTPS 协议访问 URL。如果缺少该标头,EAS 托管会自动添加它。

🌐 This header tells browsers to only access a URL with the HTTPS protocol in the future. EAS Hosting automatically adds this header if it's missing.

其默认值设置为 max-age=31536000; includeSubDomains; preload

🌐 Its default value is set to max-age=31536000; includeSubDomains; preload.

关于为什么此头是一个很好的默认设置、如何提高安全性和性能的更多信息,请阅读这篇关于 web.dev 的文章,并在 MDN 文档中了解更多关于 Strict-Transport-Security 头的信息。

🌐 For more information on why this header is a good default, improves security, and performance, read this article on web.dev and read more about Strict-Transport-Security header in the MDN documentation.

常用标题

🌐 Common headers

默认情况下,EAS 托管会移除并且不转发任何 X-Powered-ByX-Aspnet-Version 头。对于 API 路由,这些头没有太大作用,我们不建议你在 API 路由中添加像 X-Powered-By 这样的替代头,因为这会不必要地暴露你正在运行的代码的内部信息。

🌐 By default, EAS Hosting will remove and not forward any X-Powered-By and X-Aspnet-Version headers. With API routes, this header does not serve much of a purpose and we don't recommend you add alternative headers like X-Powered-By to your API routes as it unnecessarily exposes internal information on the code you're running.

如果你的 API 路由返回自定义的 X-Frame-Options 头,这些头将会在响应中自动转换为 Content-Security-Policy 指令。

🌐 If your API routes respond with custom X-Frame-Options headers, these headers will automatically be converted to Content-Security-Policy directives in your response.

崩溃页面

🌐 Crash pages

如果你的 API 路由抛出未处理的 JavaScript 错误,这会被视为“崩溃”,因为你的 API 路由无法返回错误。

🌐 If your API route throws an unhandled JavaScript error, this is treated as a "crash" since your API route was unable to deliver an error.

在这些情况下,EAS 托管将返回错误页面。如果发送了 Accept: text/html 请求头,错误页面将以 HTML 响应的形式呈现。否则,它只会以纯文本的形式响应。

🌐 EAS Hosting will respond with an error page in these cases. The error page will be rendered as an HTML response, if the Accept: text/html request header was sent. Otherwise, it will only respond with a plaintext response.

请求查询参数

🌐 Request headers

EAS 托管 会在每个请求转发到你的 API 路由之前,添加以下头信息。这些头信息通常提供有关发起请求者的更多信息。

Request headerDescription
ForwardedComma-separated list of semicolon-separated for, host, and proto parameters.
See MDN documentation on the HTTP Forwarded header for more information.
X-Forwarded-ForComma-separated list of forwarder IPs for a given request
X-Forwarded-ProtoProtocol used to make the request. Typically, https
X-Forwarded-HostHostname from the incoming request
X-Real-IPIP address from the incoming request
OriginURL Origin from the incoming request
HostHostname of the forwarded request (matching request.url's hostname)
eas-coloCode of the Cloudflare data center that handled the request. For example, lhr
eas-ip-continentTwo letter continent code of the client.
One of: AF, AN, AS, EU, NA, OC, or SA
eas-ip-countryThree letter country code of the client in ISO-3166 Alpha 2 format.
For example, US or JP
eas-ip-regionRegion code of the client in ISO-3166-2 format, which has a maximum length of three characters
eas-ip-cityHuman-readable city name of the client (optional). For example, London or Chicago
eas-ip-latitudeBest guess of the client's latitude (optional)
eas-ip-longitudeBest guess of the client's longitude (optional)
eas-ip-timezoneTimezone of the client. For example, Europe/London
eas-ip-euSet to 1 when the request likely originated in the jurisdictional area of the European Union

请求 URL 和来源

🌐 Request URL and origin

EAS 托管会将来自多个主机名的请求路由到你的部署。 别名自定义域 意味着客户端用于发起请求的 原始 URL 可能与你的 API 路由接收到的 目标 URL 不同。

🌐 EAS Hosting routes requests from several hostnames to your deployments. Aliases and Custom domains mean that there may be a difference between the incoming URL that clients have used to make a request, and the target URL that your API routes receive.

例如,虽然客户端可能会向像 https://my-app--staging.expo.app/ 这样的别名 URL 发出请求,但接收该请求的工作部署将拥有包含其部署 ID 的 URL,例如 https://my-app--or1170q9ix.expo.app/

🌐 For example, while a client may make a request to an alias URL such as https://my-app--staging.expo.app/, the worker deployment that will receive the request will have a URL containing its deployment ID, such as https://my-app--or1170q9ix.expo.app/.

这种差异也出现在你在 API 路由中收到的 Request 的 URL 和头信息中。虽然 request.url 将是你的工作部署的 URL,但 OriginX-Forwarded-Host 头信息将被设置为客户端用来发起请求的 URL。

🌐 This difference is also present in the Request's URL and headers that you receive in your API routes. While the request.url will be your worker deployment's URL, the Origin and X-Forwarded-Host header will be set to the incoming URL that the client used to make the request.

export async function GET(request) {
  request.url; // 'https://my-app--or1170q9ix.expo.app/'
  request.headers.get('Origin'); // 'https://my-app--staging.expo.app/'
  request.headers.get('X-Forwarded-Host'); // 'my-app--staging.expo.app'
  origin; // 'https://my-app--staging.expo.app/'
}

IP 标头

🌐 IP headers

请求包含几个标头,用于识别发出请求的用户设备的 IP 地址:

🌐 The request contains several headers to identify the IP address of the user's device that made the request:

  • Forwarded 包含一个由逗号分隔的分号分隔参数列表。列表中的每一项代表转发请求的代理。因此,第一项的 for 参数很可能是原始客户端的IP地址。
  • X-Forwarded-For 仅包含用逗号分隔的 IP 地址列表。列表中的每一项都表示一个转发了请求的代理。
  • X-Real-IP 仅包含原始请求的 IP 地址

例如,要获取调用你 API 路由的用户浏览器的 IP 地址,请从请求中读取 X-Real-IP 头:

🌐 For example, to retrieve the IP address of the user's browser that is calling your API route, read the X-Real-IP header from the request:

export async function GET(request) {
  const ip = request.headers.get('X-Real-IP');
}

地理位置标头

🌐 Geo headers

请求还包含几个标头,其中包含有关请求来源的地理信息:

🌐 The request also contains several headers containing geographical information about where the request came from:

  • eas-colo 包含处理你请求的数据中心的 Cloudflare 代码。例如,lhr
  • eas-ip-continent 包含当前请求的大陆代码:
    • AF 为非洲
    • AN 南极
    • AS 适用于亚洲
    • EU 欧洲版
    • NA 适用于北美
    • OC 适用于大洋洲
    • SA 面向南美洲。
  • eas-ip-country 包含 ISO-3166 Alpha 2 国家代码。长度最多为两个字母。例如,USJP
  • eas-ip-region 包含请求的 ISO-3166-2 区域代码。该值最多为三个字符长。然而,根据特定国家的区域代码规则,长度可能有所不同。它可能由一到三位数字、一到三个字母或其他任意组合组成。
  • eas-ip-city 可能包含一个人类可读的城市名称。例如 LondonChicago
  • eas-ip-latitudeeas-ip-longitude 包含请求的大致经纬度。
  • eas-ip-timezone 包含请求来源时区的最佳猜测。例如,Europe/London
  • eas-ip-eu 会被设置为 1,当请求很可能来源于欧盟的管辖区域时。