Edge functions can be used to manipulate the request and response headers of a request. This can be useful for adding security headers, modifying the cache behavior, or adding custom headers to requests.
Basic Header Manipulation
The
Request and Response objects in the Fetch API provide methods for accessing and modifying the request and response headers. These methods can be used to add, remove, or modify the headers either before or after the request is sent to the origin.Router Configuration
JavaScriptroutes.js
1import {Router, edgioRoutes} from '@edgio/core';23export default new Router()4 .use(edgioRoutes)56 .match('/some/path', {7 edge_function: './edge-functions/main.js',8 })
Edge Function
JavaScriptedge-functions/main.js
1export async function handleHttpRequest(request, context) {23 // Fetch the response from the origin4 const response = await fetch(new Request(request.url, request), {5 edgio: {6 origin: 'web',7 },8 });910 // Add a custom header to the response11 response.headers.set('x-custom-header', 'foo');1213 // Return the response to the client14 return response;15}
Original Client IP
The original client IP address can be retrieved from the
context object in an edge function. This can be useful for logging or security purposes, such as adding the client IP address to the request headers.Router Configuration
JavaScriptroutes.js
1import {Router, edgioRoutes} from '@edgio/core';23export default new Router()4 .use(edgioRoutes)56 .match('/some/path', {7 edge_function: './edge-functions/main.js',8 })
Edge Function
JavaScriptedge-functions/main.js
1export async function handleHttpRequest(request, context) {2 // Retrieve the client's IP address from the context object3 const clientIP = context.client.dst_addr;45 const newRequest = new Request(request.url, request);67 // Add the true-client-ip header to the incoming request8 newRequest.headers.set('true-client-ip', clientIP);910 // Continue with the modified request to the origin11 return fetch(newRequest, {12 edgio: { origin: 'web' },13 });14}
Content Security Policy
The Content Security Policy (CSP) is a security standard that can be used to mitigate the risk of cross-site scripting (XSS) attacks. It allows you to specify the domains from which various types of content can be loaded, such as scripts, stylesheets, images, and fonts. It also allows you to specify the domains from which the page can be embedded in a frame.
Router Configuration
JavaScriptroutes.js
1import {Router, edgioRoutes} from '@edgio/core';23export default new Router()4 .use(edgioRoutes)56 .match('/some/path', {7 edge_function: './edge-functions/main.js',8 })
Edge Function
JavaScriptedge-functions/main.js
1export async function handleHttpRequest(request, context) {2 // Fetch the response from the origin3 const response = await fetch(new Request(request.url, request), {4 edgio: {5 origin: 'web',6 },7 });89 // Set HTTP security headers10 response.headers.set(11 'strict-transport-security',12 'max-age=63072000; includeSubdomains; preload'13 );14 response.headers.set(15 'content-security-policy',16 "default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'; object-src 'none'; frame-ancestors 'none'"17 );18 response.headers.set('x-content-type-options', 'nosniff');19 response.headers.set('x-frame-options', 'DENY');20 response.headers.set('x-xss-protection', '1; mode=block');21 response.headers.set('referrer-policy', 'same-origin');2223 // Return the response to the client24 return response;25}