Difference between revisions for Users / Eo Ny / dev
##
=== Overview ===
The
Http class src/class/http.php) is a core component of the WackoWiki system responsible for handling HTTP request/response processing, session management, caching, and security features. This class acts as a bridge between the web server and the wiki engine.
File Location:
src/class/http.php
Language: PHP Dependencies: Database class, Session classes, Utility classes
Ut), Diagnostics class ##
Diag)
=== Class Properties
Public Properties
Private Properties
=== Constructor <!--markup:1:begin-->
`php<!--markup:1:end--> <!--markup:2:begin-->=== %%(hl php)<!--markup:2:end--> public function __construct(&$db) %% **Purpose:** Initializes the Http object and sets up HTTP session handling. **Parameters:** - <!--markup:1:begin-->`$db`<!--markup:1:end--> <!--markup:2:begin-->##$db##<!--markup:2:end--> - Database object reference **Initialization Steps:** 1. Stores database reference 2. Extracts and normalizes REQUEST_URI 3. Detects TLS/HTTPS session status 4. Determines client's real IP address 5. Sets up TLS mark cookie name 6. Enforces TLS session upgrade if needed **Example:** <!--markup:1:begin-->
<!--markup:2:end-->
$http = new Http($db);
Session Management
session($route): void
Initializes the session handler (file-based or database-based).Parameters:
-
`$route`$route(int) - Routing flag: - Bit 2
(`$route(##$route &2`):2##): Enable static mode for files/freecap (disables replay prevention and ID regeneration)
Features:
- Selects storage backend (file or database)
- Configures cookie settings (security, path, httponly)
- Binds IP and TLS validation
- Recovers diagnostic logs from previous session
Example:
`php<!--markup:1:end-->** <!--markup:2:begin-->%%(hl php)<!--markup:2:end--> $http->session(); // Normal session $http->session(2); // Static file serving mode <!--markup:1:begin-->
###
---- ====<!--markup:2:end--> Caching System <!--markup:1:begin-->#### `check_cache($page,<!--markup:1:end--> <!--markup:2:begin-->==== ===== ##check_cache($page,<!--markup:2:end--> $method): <!--markup:1:begin-->void`<!--markup:1:end--> <!--markup:2:begin-->void## =====<!--markup:2:end--> Determines if a page can be cached and prepares the cache check. **Parameters:** - ##$page## (string) - Page name to cache - <!--markup:1:begin-->`$method`<!--markup:1:end--> <!--markup:2:begin-->##$method##<!--markup:2:end--> (string) - Request method/action (e.g., 'show', 'edit') **Caching Rules:** - ✅ Enabled for GET requests only - ✅ Disabled for POST requests - ❌ Never cached for 'edit' or 'watch' methods - ✅ Only cached for anonymous users (no logged-in users) **Example:** <!--markup:1:begin-->```php<!--markup:1:end-->** <!--markup:2:begin-->
---- =====##store_cache(): void##===== Saves the generated page content to cache file. **Features:** - Retrieves output buffer content - Saves to cache file with proper permissions - Records cache metadata in database - Only executes if caching flag is set and user is anonymous **Example:**
// Called at end of page rendering
$http->store_cache();
` --- #### `invalidate_page($page): int`<!--markup:1:end--> <!--markup:2:begin-->%% ---- ===== ##invalidate_page($page): int## =====<!--markup:2:end--> Invalidates all cached versions of a page. **Parameters:** - <!--markup:1:begin-->`$page`<!--markup:1:end--> <!--markup:2:begin-->##$page##<!--markup:2:end--> (string) - Page name to invalidate **Returns:** - Number of cache entries invalidated **Process:** 1. Finds all cached versions (different methods/languages) 2. Touches files to past timestamp (faster than deletion) 3. Removes entries from cache metadata table 4. Returns count of invalidated caches **Example:** <!--markup:1:begin-->
<!--markup:2:end-->
$count = $http->invalidate_page('HomePage');
echo "Invalidated $count cache entries";
<!--markup:1:begin-->```
---
###<!--markup:1:end-->
<!--markup:2:begin-->
TLS/HTTPS Security ====
secure_base_url(): void
Switches base URL from HTTP to HTTPS.Purpose:
- Ensures all subsequent URLs use HTTPS
- Stores original HTTP URL for fallback
- Called when TLS session is detected
Example:
`php<!--markup:1:end-->** <!--markup:2:begin-->%%(hl php)<!--markup:2:end--> $http->secure_base_url(); // $db->base_url now uses https:// <!--markup:1:begin-->
`ensure_tls($url): void`---- ===== ##ensure_tls($url): void## =====<!--markup:2:end--> Enforces HTTPS for a specific URL and redirects if necessary. **Parameters:** - ##$url## (string) - URL to secure **Behavior:** - If not already HTTPS and TLS is enabled, forces HTTPS redirect - Handles both relative and absolute URLs - Converts relative URLs using current server name **Example:**
---- ==== IP Address Detection ==== ===== ##real_ip(): string## (Private) ===== Detects client's real IP address accounting for proxies. **Proxy Headers Checked (in order):** 1. ##HTTP_X_CLUSTER_CLIENT_IP## 2. ##HTTP_X_FORWARDED_FOR## (or custom header) 3. <!--markup:1:begin-->`HTTP_CLIENT_IP`<!--markup:1:end--> <!--markup:2:begin-->##HTTP_CLIENT_IP##<!--markup:2:end--> 4. <!--markup:1:begin-->`HTTP_X_REMOTE_ADDR`<!--markup:1:end--> <!--markup:2:begin-->##HTTP_X_REMOTE_ADDR##<!--markup:2:end--> 5. <!--markup:1:begin-->`REMOTE_ADDR`<!--markup:1:end--> <!--markup:2:begin-->##REMOTE_ADDR##<!--markup:2:end--> (fallback) **Features:** - Filters out private/reserved IP ranges - Respects configured reverse proxy addresses - Returns <!--markup:1:begin-->`'...'`<!--markup:1:end--> <!--markup:2:begin-->##'...'##<!--markup:2:end--> as fallback **Configuration in Database:** - <!--markup:1:begin-->`reverse_proxy_addresses`<!--markup:1:end--> <!--markup:2:begin-->##reverse_proxy_addresses##<!--markup:2:end--> - Comma/space-separated proxy IPs - <!--markup:1:begin-->`reverse_proxy_header`<!--markup:1:end--> <!--markup:2:begin-->##reverse_proxy_header##<!--markup:2:end--> - Custom header name (default: <!--markup:1:begin-->`X-Forwarded-For`)<!--markup:1:end--> <!--markup:2:begin-->##X-Forwarded-For##)<!--markup:2:end--> **Example:** <!--markup:1:begin-->```php<!--markup:1:end-->** <!--markup:2:begin-->
$client_ip = $http->ip; // e.g., "23..113.42"
`
---
###<!--markup:1:end-->
<!--markup:2:begin-->%%
----
====<!--markup:2:end--> HTTPS Detection
<!--markup:1:begin-->#### `tls_session(): bool`<!--markup:1:end--> <!--markup:2:begin-->====
===== ##tls_session(): bool##<!--markup:2:end--> (Private) <!--markup:2:begin-->=====<!--markup:2:end-->
Detects if current connection uses HTTPS/TLS.
**Checks (any being true = HTTPS):**
- ##$_SERVER['HTTPS']## is 'on'
- ##$_SERVER['SERVER_PORT']## is 443
- <!--markup:1:begin-->`$_SERVER['HTTP_X_FORWARDED_PROTO']`<!--markup:1:end--> <!--markup:2:begin-->##$_SERVER['HTTP_X_FORWARDED_PROTO']##<!--markup:2:end--> is 'https'
- <!--markup:1:begin-->`$_SERVER['HTTP_X_FORWARDED_SSL']`<!--markup:1:end--> <!--markup:2:begin-->##$_SERVER['HTTP_X_FORWARDED_SSL']##<!--markup:2:end--> is 'on'
- ##$_SERVER['HTTP_X_FORWARDED_PORT']## is 443
----
==== Security Headers ====
=====##http_security_headers(): void##=====
Sets security-related HTTP headers.
**Headers Set:**
<!--markup:2:begin-->#|<!--markup:2:end-->
*| Header | Purpose | Config Key |
<!--markup:1:begin-->|--------|---------|------------|
|<!--markup:1:end-->*
<!--markup:2:begin-->||<!--markup:2:end--> Content-Security-Policy | XSS/injection protection | <!--markup:1:begin-->`csp` |
|<!--markup:1:end--> <!--markup:2:begin-->##csp## ||
||<!--markup:2:end--> Permissions-Policy | Control browser features | ##permissions_policy## ||
|| Referrer-Policy | Control referrer information | ##referrer_policy## ||
|| Strict-Transport-Security | Force HTTPS | Auto (TLS only) ||
|| X-Frame-Options | Clickjacking protection | Hardcoded: ##SAMEORIGIN## ||
|| X-Content-Type-Options | MIME sniffing prevention | Hardcoded: ##nosniff## ||
|#
**CSP Configuration Options:**
- #### - Disabled
- ##1## - Default policy (from <!--markup:1:begin-->`csp.conf`)<!--markup:1:end--> <!--markup:2:begin-->##csp.conf##)<!--markup:2:end-->
- <!--markup:1:begin-->`2`<!--markup:1:end--> <!--markup:2:begin-->##2##<!--markup:2:end--> - Custom policy (from ##csp_custom.conf##)
**Example:**
%%(hl php)
$http->http_security_headers();
%%
----
==== HTTP Methods ====
===== ##redirect($url, $permanent = false): <!--markup:1:begin-->void`<!--markup:1:end--> <!--markup:2:begin-->void## =====<!--markup:2:end-->
Performs an HTTP redirect.
**Parameters:**
- <!--markup:1:begin-->`$url`<!--markup:1:end--> <!--markup:2:begin-->##$url##<!--markup:2:end--> (string) - Target URL
- <!--markup:1:begin-->`$permanent`<!--markup:1:end--> <!--markup:2:begin-->##$permanent##<!--markup:2:end--> (bool) - Use 31 (permanent) vs 32 (temporary)
**Features:**
- Decodes <!--markup:1:begin-->`&`<!--markup:1:end--> <!--markup:2:begin-->##&##<!--markup:2:end--> entities to prevent broken redirects
- Only works if headers not yet sent
- Uses output buffering to work anywhere in page processing
**Example:**
%%(hl php)
$http->redirect('http://example.com/new-page', true); // 31
$http->redirect('/wiki/HomePage'); // 32
%%
----
===== ##terminate(): void## =====
Safe exit/die with cleanup.
**Cleanup Operations:**
- Saves diagnostic logs to session flash data
- Ends script execution
**Example:**
%%(hl php)
$http->terminate();
%%
----
===== ##status($code): void## =====
Sets HTTP response status code.
**Supported Status Codes:**
%%(hl php)
2 => 'OK'
26 => 'Partial Content'
31 => 'Moved Permanently'
32 => 'Moved Temporarily'
34 => 'Not Modified'
4 => 'Bad Request'
41 => 'Unauthorized'
43 => 'Forbidden'
44 => 'Not Found'
45 => 'Method Not Allowed'
49 => 'Conflict'
41 => 'Gone'
416 => 'Requested Range Not Satisfiable'
5 => 'Internal Server Error'
51 => 'Not Implemented'
53 => 'Service Unavailable'
%%
**Example:**
%%(hl php)
$http->status(44); // Send 44 Not Found
%%
----
==== Caching Control ====
===== ##no_cache($client_only = true): void## =====
Disables caching of the current page.
**Parameters:**
- ##$client_only## (bool, default: TRUE)
- ##TRUE##: Disable browser cache only
- <!--markup:1:begin-->`FALSE`:<!--markup:1:end--> <!--markup:2:begin-->##FALSE##:<!--markup:2:end--> Disable both browser and server cache
**Headers Set:**
- <!--markup:1:begin-->`Last-Modified: <current-time>`<!--markup:1:end--> <!--markup:2:begin-->##Last-Modified: <current-time>##<!--markup:2:end--> (always fresh)
- <!--markup:1:begin-->`Cache-Control: no-store`<!--markup:1:end--> <!--markup:2:begin-->##Cache-Control: no-store##<!--markup:2:end-->
**Example:**
<!--markup:1:begin-->
<!--markup:2:end-->
$http->no_cache(); // Client-side only
$http->no_cache(false); // Both client & server
<!--markup:1:begin-->```
---
#### `cache_promisc(): void`<!--markup:1:end-->
<!--markup:2:begin-->
cache_promisc(): void
Marks page as publicly cacheable.Headers Set:
-
Cache-Control: public
Example:
`php<!--markup:1:end-->** <!--markup:2:begin-->%%(hl php)<!--markup:2:end--> $http->cache_promisc(); %% ---- ==== Language Negotiation ==== ===== ##user_agent_language(): string## ===== Determines best language based on browser preferences. **Features:** - Follows RFC 911 section 12.5.4 (HTTP Accept-Language) - Parses <!--markup:1:begin-->`Accept-Language`<!--markup:1:end--> <!--markup:2:begin-->##Accept-Language##<!--markup:2:end--> header with quality factors - Attempts exact match first, then language fallback - Falls back to default system language **Example Header:** %% Accept-Language: en-US,en;q=.9,de;q=.8 <!--markup:1:begin-->
<!--markup:2:end--> **Returns:** - Language code (e.g., 'en', 'en-US', 'de') ---- ===== ##available_languages($subset = true): <!--markup:1:begin-->array`<!--markup:1:end--> <!--markup:2:begin-->array## =====<!--markup:2:end--> Returns list of available language translations. **Parameters:** - <!--markup:1:begin-->`$subset`<!--markup:1:end--> <!--markup:2:begin-->##$subset##<!--markup:2:end--> (bool, default: TRUE) - <!--markup:1:begin-->`TRUE`:<!--markup:1:end--> <!--markup:2:begin-->##TRUE##:<!--markup:2:end--> Only allowed languages - <!--markup:1:begin-->`FALSE`:<!--markup:1:end--> <!--markup:2:begin-->##FALSE##:<!--markup:2:end--> All available languages **Features:** - Scans ##LANG_DIR## for language files - Filters by <!--markup:1:begin-->`allowed_languages`<!--markup:1:end--> <!--markup:2:begin-->##allowed_languages##<!--markup:2:end--> config if set - Caches result in session - System language always included **Returns:** - Associative array: <!--markup:1:begin-->`['en'<!--markup:1:end--> <!--markup:2:begin-->##['en'<!--markup:2:end--> => 'en', 'de' => 'de', <!--markup:1:begin-->...]`<!--markup:1:end--> <!--markup:2:begin-->...]##<!--markup:2:end--> **Example:** <!--markup:1:begin-->```php<!--markup:1:end-->** <!--markup:2:begin-->
$allowed = $http->available_languages(true);
` --- ###<!--markup:1:end--> <!--markup:2:begin-->%% ---- ====<!--markup:2:end--> File Serving <!--markup:1:begin-->#### `sendfile($path,<!--markup:1:end--> <!--markup:2:begin-->==== ===== ##sendfile($path,<!--markup:2:end--> $filename = null, $age = null): void## ===== Serves files with proper HTTP headers and caching. **Parameters:** - <!--markup:1:begin-->`$path`<!--markup:1:end--> <!--markup:2:begin-->##$path##<!--markup:2:end--> (string) - File path (or HTTP_XXX constant for error pages) - <!--markup:1:begin-->`$filename`<!--markup:1:end--> <!--markup:2:begin-->##$filename##<!--markup:2:end--> (string, optional) - Custom download filename - <!--markup:1:begin-->`$age`<!--markup:1:end--> <!--markup:2:begin-->##$age##<!--markup:2:end--> (int, optional) - Cache age in days **Features:** - HTTP range request support (partial file downloads) - ETag and Last-Modified conditional requests - Proper MIME type detection - Content-Security-Policy for special file types - Streaming for large files - GZip compression for text files **Special Paths:** <!--markup:1:begin-->
<!--markup:2:end-->
$http->sendfile(44); // Serves file defined by HTTP_44 constant
$http->sendfile(43); // Serves file defined by HTTP_43 constant
<!--markup:1:begin-->```<!--markup:1:end-->
<!--markup:2:begin-->
Example:
$http->sendfile('uploads/document.pdf', 'my-document.pdf', 3);
mime_type($path): string
Returns MIME type for a file.Returns:
- MIME type string (e.g., 'application/pdf')
- Default:
'application/octet-stream'
Example:
`php<!--markup:1:end-->**
<!--markup:2:begin-->%%(hl php)<!--markup:2:end-->
$mime = $http->mime_type('file.pdf'); // 'application/pdf'
<!--markup:1:begin-->
`mime_types(): array`---- ===== ##mime_types(): array##<!--markup:2:end--> (Private) <!--markup:2:begin-->=====<!--markup:2:end--> Loads and caches MIME types from configuration. **Features:** - Reads from ##config/mime.types## - Caches to ##cache/config/mime.types## - Reloads if config is updated ---- ==== Compression <!--markup:1:begin-->#### `gzip(): void`<!--markup:1:end--> <!--markup:2:begin-->==== ===== ##gzip(): void## =====<!--markup:2:end--> Compresses HTTP response with gzip/x-gzip. **Features:** - Manually implements gzip (not relying on zlib.output_compression) - Produces correct <!--markup:1:begin-->`Content-Length`<!--markup:1:end--> <!--markup:2:begin-->##Content-Length##<!--markup:2:end--> header - Only compresses if: - 86 bytes < content < 1 MB - Client accepts compression - Headers not already sent **Example:**
---- ==== Utility Methods <!--markup:1:begin-->#### `parse_str($str): array`<!--markup:1:end--> <!--markup:2:begin-->==== ===== ##parse_str($str): array##<!--markup:2:end--> (Private) ===== Parses URL-encoded strings with special character handling. **Purpose:** - Safely handles special characters in query/form data - Converts encoding properly **Example:**
$data = $http->parse_str('name=John&age=3');
---- ===== ##request_uri(): string## (Private) ===== Extracts and normalizes REQUEST_URI from server. **Normalization:** - Removes base URL prefix - Removes spaces - Collapses multiple slashes - Removes <!--markup:1:begin-->`..`<!--markup:1:end--> <!--markup:2:begin-->##..##<!--markup:2:end--> path traversal attempts - Removes leading/trailing slashes <!--markup:1:begin-->--- #### `cut_prefix($prefix,<!--markup:1:end--> <!--markup:2:begin-->---- ===== ##cut_prefix($prefix,<!--markup:2:end--> $path): <!--markup:1:begin-->string`<!--markup:1:end--> <!--markup:2:begin-->string##<!--markup:2:end--> (Private) <!--markup:2:begin-->=====<!--markup:2:end--> Removes prefix from path (case-insensitive). ---- ===== ##get_header_conf($file_name): string## (Private) ===== Loads security header configuration from files. **Files Supported:** - ##csp.conf## / ##csp_custom.conf## - ##permissions_policy.conf## / ##permissions_policy_custom.conf## ---- ===Configuration Dependencies=== The class relies on these database configuration settings: <!--markup:2:begin-->#|<!--markup:2:end--> *| Setting | Type | Purpose |* || ##base_url## | string | Wiki's base URL <!--markup:1:begin-->| | `tls`<!--markup:1:end--> <!--markup:2:begin-->|| || ##tls##<!--markup:2:end--> | bool | Enable HTTPS enforcement || || ##cache## | bool | Enable page caching <!--markup:1:begin-->| | `cache_ttl`<!--markup:1:end--> <!--markup:2:begin-->|| || ##cache_ttl##<!--markup:2:end--> | int | Cache lifetime in seconds <!--markup:1:begin-->| | `session_store`<!--markup:1:end--> <!--markup:2:begin-->|| || ##session_store##<!--markup:2:end--> | int | 1=File, =Database || || ##system_seed_hash## | string | Session encryption seed <!--markup:1:begin-->| | `cookie_prefix`<!--markup:1:end--> <!--markup:2:begin-->|| || ##cookie_prefix##<!--markup:2:end--> | string | Session cookie prefix || || ##cookie_path## | string | Cookie path || || ##allow_persistent_cookie## | bool | Allow persistent login || || ##session_length## | int | Session lifetime in seconds || || ##reverse_proxy_addresses## | string | Comma/space-separated proxy IPs <!--markup:1:begin-->| | `reverse_proxy_header`<!--markup:1:end--> <!--markup:2:begin-->|| || ##reverse_proxy_header##<!--markup:2:end--> | string | Custom X-Forwarded header || || ##language## | string | Default language code || || ##multilanguage## | bool | Enable language negotiation <!--markup:1:begin-->| | `allowed_languages`<!--markup:1:end--> <!--markup:2:begin-->|| || ##allowed_languages##<!--markup:2:end--> | string | Comma/space-separated allowed langs || || ##enable_security_headers## | bool | Send security headers <!--markup:1:begin-->| | `csp`<!--markup:1:end--> <!--markup:2:begin-->|| || ##csp##<!--markup:2:end--> | int | CSP setting (/1/2) || || ##permissions_policy## | int | Permissions-Policy setting (/1/2) <!--markup:1:begin-->| | `referrer_policy`<!--markup:1:end--> <!--markup:2:begin-->|| || ##referrer_policy##<!--markup:2:end--> | int | Referrer-Policy setting (-8) || |# ---- ===Constants Used=== #| *| Constant | Type | Purpose |* || ##IN_WACKO## | bool | Security check (exit if not defined) || || ##CHMOD_SAFE## | int | File permissions for cache files <!--markup:1:begin-->| | `CHMOD_FILE`<!--markup:1:end--> <!--markup:2:begin-->|| || ##CHMOD_FILE##<!--markup:2:end--> | int | File permissions for config cache || || ##CACHE_PAGE_DIR## | string | Page cache directory <!--markup:1:begin-->| | `CACHE_SESSION_DIR`<!--markup:1:end--> <!--markup:2:begin-->|| || ##CACHE_SESSION_DIR##<!--markup:2:end--> | string | Session cache directory || || ##CACHE_CONFIG_DIR## | string | Config cache directory <!--markup:1:begin-->| | `CONFIG_DIR`<!--markup:1:end--> <!--markup:2:begin-->|| || ##CONFIG_DIR##<!--markup:2:end--> | string | Configuration directory <!--markup:1:begin-->| | `LANG_DIR`<!--markup:1:end--> <!--markup:2:begin-->|| || ##LANG_DIR##<!--markup:2:end--> | string | Language files directory <!--markup:1:begin-->| | `DAYSECS`<!--markup:1:end--> <!--markup:2:begin-->|| || ##DAYSECS##<!--markup:2:end--> | int | Seconds in a day (864) || || ##HTTP_44## | string | Path to 44 error page || || ##HTTP_43## | string | Path to 43 error page <!--markup:1:begin-->| --- ##<!--markup:1:end--> <!--markup:2:begin-->|| |# ---- ===<!--markup:2:end--> Workflow Examples === ====Example 1: Handling a GET <!--markup:1:begin-->Request ```php<!--markup:1:end--> <!--markup:2:begin-->Request====
// In main wiki entry point
$http = new Http($db);
$http->session(); // Start session
// Check if page can be served from cache
$http->check_cache('HomePage', 'show');
// ... render page content ...
// Store rendered page in cache if applicable
$http->store_cache();
// Send security headers
$http->http_security_headers();
// Possibly compress output
$http->gzip();
==== Example 2: Handling TLS/HTTPS Upgrade ====
$http = new Http($db); // Constructor detects TLS requirement
// If TLS is enabled and user wasn't in TLS before:
// - Sets TLS session flag
// - Marks session with TLS cookie
// - Redirects to HTTPS version
==== Example 3: Invalidating Cache After Page Edit ====
// User edits a page
$http = new Http($db);
$count = $http->invalidate_page('HomePage');
// All cached versions (different languages, methods) are invalidated
==== Example 4: Serving a File ====
$http = new Http($db);
$http->session(2); // Static file mode - no session replay prevention
// Serve with 3-day cache
$http->sendfile('uploads/manual.pdf', 'user-manual.pdf', 3);
---- === Security Considerations === ==== 1. **IP Address Spoofing** ==== - Validates IPs against private ranges - Filters proxy-provided IPs appropriately - Configurable reverse proxy trust <!--markup:1:begin-->###<!--markup:1:end--> <!--markup:2:begin-->====<!--markup:2:end--> 2. **Session Security** ==== - Binds sessions to IP address - Binds sessions to TLS status - Supports both file and database storage - HttpOnly cookies by default <!--markup:1:begin-->###<!--markup:1:end--> <!--markup:2:begin-->====<!--markup:2:end--> 3. **TLS Enforcement** <!--markup:2:begin-->====<!--markup:2:end--> - Automatic HTTPS upgrade when configured - Marks TLS sessions to prevent downgrade attacks - HSTS header support <!--markup:1:begin-->###<!--markup:1:end--> <!--markup:2:begin-->====<!--markup:2:end--> 4. **Content Security** <!--markup:2:begin-->====<!--markup:2:end--> - CSP headers to prevent XSS - X-Frame-Options to prevent clickjacking - X-Content-Type-Options to prevent MIME sniffing - Referrer-Policy control - Permissions-Policy for browser features ==== 5. **File Serving** ==== - Validates file existence and readability - Prevents directory traversal via <!--markup:1:begin-->`realpath()`<!--markup:1:end--> <!--markup:2:begin-->##realpath()##<!--markup:2:end--> - Rejects symbolic links - Special CSP for SVG and PDF files <!--markup:1:begin-->###<!--markup:1:end--> <!--markup:2:begin-->====<!--markup:2:end--> 6. **Cache Security** ==== - Cached only for anonymous users - Disabled for sensitive operations (edit, watch) - Only GET requests cached ---- === Performance Optimization <!--markup:1:begin-->###<!--markup:1:end--> <!--markup:2:begin-->=== ====<!--markup:2:end--> 1. **Page Caching** <!--markup:2:begin-->====<!--markup:2:end--> - Stores full HTML output - TTL-based expiration - Language and method-aware caching - Conditional request support (34 Not Modified) ==== 2. **MIME Type Caching** <!--markup:2:begin-->====<!--markup:2:end--> - Loads MIME types once and caches - Regenerates only when config changes <!--markup:1:begin-->###<!--markup:1:end--> <!--markup:2:begin-->====<!--markup:2:end--> 3. **Session Options** ==== - File-based sessions for simple deployments - Database sessions for distributed systems <!--markup:1:begin-->###<!--markup:1:end--> <!--markup:2:begin-->====<!--markup:2:end--> 4. **Compression** <!--markup:2:begin-->====<!--markup:2:end--> - Manual gzip implementation - Proper Content-Length generation - Only compresses appropriate sizes ---- === Debugging === The class integrates with WackoWiki's diagnostic system: <!--markup:1:begin-->```php<!--markup:1:end--> <!--markup:2:begin-->
// Diagnostic messages are preserved across redirects
// via session flash data
// Check cached pages (debug comments in output):
// <!-- WackoWiki Caching Engine: page cached at 224-1-15 12:3:45 GMT
%%
=== Related Classes <!
- Session Classes (
SessionFileStore,SessionDbalStore) - Session management backends - Database Class - Configuration and cache metadata storage
- Ut Utility Class - String/path utilities
- Diag Class - Diagnostic logging
Version History <!markup:2:begin>
<!- Supports PHP 8.+ (uses match expressions, union types)
- Follows RFC 911 for HTTP header handling
- Modern cookie security practices
##
=== Conclusion ===
The
Http class is the central request/response handler in WackoWiki, managing everything from session initialization to security headers to file serving. Understanding this class is essential for:
- Extending WackoWiki with custom request handlers
- Implementing custom session logic
- Adding new security policies
- Optimizing cache strategies
- Debugging HTTP-related issues