H3 logoH3

Proxy

H3 proxy utilities.

fetchWithEvent(event, url, init?)

Make a fetch request with the event's context and headers.

If the url starts with /, the request is dispatched internally via event.app.fetch() (sub-request) and never leaves the process.

Security: Never pass unsanitized user input as the url. Callers are responsible for validating and restricting the URL.

getProxyRequestHeaders(event)

Get the request headers object without headers known to cause issues when proxying.

proxy(event, target, opts)

Make a proxy request to a target URL and send the response back to the client.

If the target starts with /, the request is dispatched internally via event.app.fetch() (sub-request) and never leaves the process. This bypasses any external security layer (reverse proxy auth, IP allowlisting, mTLS).

Security: Never pass unsanitized user input as the target. Callers are responsible for validating and restricting the target URL (e.g. allowlisting hosts, blocking internal paths, enforcing protocol).

proxyRequest(event, target, opts)

Proxy the incoming request to a target URL.

If the target starts with /, the request is handled internally by the app router via event.app.fetch() instead of making an external HTTP request.

Security: Never pass unsanitized user input as the target. Callers are responsible for validating and restricting the target URL (e.g. allowlisting hosts, blocking internal paths, enforcing protocol). Consider using bodyLimit() middleware to prevent large request bodies from consuming excessive resources when proxying untrusted input.

Security

H3 security utilities.

MCP

H3 MCP related utils.