[Experimental Advanced Routing]: Unexpected behavior with X-Forwarded-* headers

[Eptagone]

Astro Info

Astro                    v6.3.5
Node                     v22.22.0
System                   Linux (x64)
Package Manager          unknown
Output                   server
Adapter                  @astrojs/node
Integrations             none

If this issue only occurs in one browser, which browser is a problem?

No response

Describe the Bug

When using advanced routing to override X-Forwarded-* headers, the Astro.url doesn't change at all:

If X-Forwarded-Host and X-Forwarded-Proto are sent to the request, the first one is ignored and the second one is applied to the request.url before the fetch function is called in app.ts.

HTTP GET > localhost:4321 headers { X-Forwarded-Host: example.com, X-Forwarded-Proto: https }

import type { Fetchable } from 'astro';
import { FetchState, astro } from 'astro/fetch';

export default {
  async fetch(request: Request): Promise<Response> {
    console.log('Request URL:', request.url); // https://localhost:4321
    const state = new FetchState(request);
    return await astro(state);
  },
} satisfies Fetchable;

If X-Forwarded-Host and/or X-Forwarded-Proto are added/set in the fetch function in app.ts before calling astro handler, both are ignored and Astro.url still has the request url.

HTTP GET > localhost:4321

import type { Fetchable } from 'astro';
import { FetchState, astro } from 'astro/fetch';

export default {
  async fetch(request: Request): Promise<Response> {
    console.log('Request URL:', request.url); // http://localhost:4321
    request.headers.set('X-Forwarded-Host', 'example.com');
    request.headers.set('X-Forwarded-Proto', 'https');

    const state = new FetchState(request);
    return await astro(state); // Expected to have `https://example.com` in Astro.url but it has `http://localhost:4321`
  },
} satisfies Fetchable;

What's the expected result?

Apply both X-Forwarded-Host and X-Forwarded-Proto in astro handler after request modifications.

Link to Minimal Reproducible Example

https://stackblitz.com/edit/github-s1eavjp1?file=src%2Fapp.ts

Participation

• I am willing to submit a pull request for this issue.

[Prayaksh]

FetchState currently derives Astro.url directly from new URL(request.url):

const url = new URL(request.url);
this.url = normalizeUrl(url);

Since request.url is immutable, mutations to X-Forwarded-* headers inside advanced routing (app.ts) cannot affect Astro.url.

There’s already forwarded-header-aware URL/domain handling elsewhere in the runtime (e.g. computePathnameFromDomain()), so this looks like an inconsistency in how the effective request URL is derived.

[Prayaksh]

This may be better solved by centralizing canonical request URL derivation behind a shared helper rather than using new URL(request.url) directly across runtime paths.

For example:

getEffectiveRequestURL(request: Request): URL

could derive the runtime URL from:

• request.url
• X-Forwarded-Proto
• X-Forwarded-Host / Host

while preserving pathname/search semantics.

FetchState could then use this effective URL instead of snapshotting the immutable request.url directly. That would also align Astro.url behavior with existing forwarded-header-aware logic already present elsewhere in the runtime (e.g. computePathnameFromDomain()).

If this direction looks right, I can open a PR for a minimal fix around a shared URL helper and its use in FetchState.

[ematipico]

@Eptagone that's not how you're supposed to change the headers though. In your case, you want a middleware that is called first hand.

The first thing that you always want to do is to create the FetchState, and then create fetch functions that act over the state.

[matthewp]

Thanks @Eptagone I think I agree that it should derive from whatever request is handed to it. Likely we do the X-Forwarded dance earlier, which means we're making routing decisions before you have a chance to intervene. Not good! Will look into moving this to where FetchState derives the URL correctly.