HTTP Class Technical Documentation (diff)

Difference between revisions for Users / Eo Ny / dev

Version1	Version2	Differences
1		~~# HTTP Class Technical Documentation~~
2
3		~~## Overview~~
4
5		The ~~`Http` class (`src/class/http.php`~~) is a core component of the WackoWiki system responsible for handling HTTP request/response processing, session management, caching, and security features. This class acts as a bridge between the web server and the wiki engine.
6
7		File Location: ~~`src/class/http.php`~~
	1	== HTTP Class Technical Documentation ==
	2
	3	=== Overview ===
	4
	5	The ##Http## class (##src/class/http.php##) is a core component of the WackoWiki system responsible for handling HTTP request/response processing, session management, caching, and security features. This class acts as a bridge between the web server and the wiki engine.
	6
	7	File Location: ##src/class/http.php##
8	8	Language: PHP
9		Dependencies: Database class, Session classes, Utility classes (`Ut`), Diagnostics class (`Diag`)
10
11		---
12
13		## Class Properties
14
15		### Public Properties
16
17		\| Property \| Type \| Description \|
18		\|----------\|------\|-------------\|
19		\| `$tls_session` \| bool \| Indicates if the current session uses HTTPS/TLS encryption \|
20		\| `$request_uri` \| string \| Normalized REQUEST_URI (e.g., 'PageOfNoReturn/show?a=1') \|
21		\| `$ip` \| string \| Client's real IP address (accounts for proxies) \|
22		\| `$sess` \| Session \| Reference to the Session object \|
23		\| `$method` \| string \| Current HTTP method/request type \|
24
25		### Private Properties
26
27		\| Property \| Type \| Description \|
28		\|----------\|------\|-------------\|
29		\| `$db` \| object \| Database connection reference \|
30		\| `$tls_mark` \| string \| Cookie name for TLS session marking \|
31		\| `$page` \| string \| Current page name being processed \|
32		\| `$hash` \| string \| SHA1 hash of the page name \|
33		\| `$query` \| string \| Encoded query string \|
34		\| `$lang` \| string \| Current language code \|
35		\| `$file` \| string \| Cache file path \|
36		\| `$caching` \| int \| Flag indicating if page should be cached (0 or 1) \|
37
38		---
39
40		## Constructor
41
42		```php
	9	Dependencies: Database class, Session classes, Utility classes (##Ut##), Diagnostics class (##Diag##)
	10
	11	----
	12
	13	=== Class Properties ===
	14
	15	==== Public Properties ====
	16
	17
	18
	19	==== Private Properties ====
	20
	21
	22	=== Constructor ===
	23
	24	%%php
43	25	public function __construct(&$db)
44		~~```~~
	26	%%
45	27
46	28	Purpose: Initializes the Http object and sets up HTTP session handling.
47	29
48	30	Parameters:
49		~~- `$db`~~ - Database object reference
	31	- ##$db## - Database object reference
50	32
51	33	Initialization Steps:
52		1. Stores database reference
53		2. Extracts and normalizes REQUEST_URI
54		3. Detects TLS/HTTPS session status
55		4. Determines client's real IP address
56		5. Sets up TLS mark cookie name
57		6. Enforces TLS session upgrade if needed
58
59		Example:
60		~~```~~php
	34	1. Stores database reference
	35	2. Extracts and normalizes REQUEST_URI
	36	3. Detects TLS/HTTPS session status
	37	4. Determines client's real IP address
	38	5. Sets up TLS mark cookie name
	39	6. Enforces TLS session upgrade if needed
	40
	41	Example:
	42	%%php
61	43	$http = new Http($db);
62		~~```~~
63
64		---
65
66		~~## Core Methods~~
67
68		~~### Session Management~~
69
70		~~#### `session($route): void`~~
	44	%%
	45
	46	----
	47
	48	=== Core Methods ===
	49
	50	==== Session Management ====
	51
	52	===== ##session($route): void## =====
71	53	Initializes the session handler (file-based or database-based).
72	54
73	55	Parameters:
74		~~- `$route`~~ (int) - Routing flag:
75		- Bit 2 (~~`$route & 2`~~): Enable static mode for files/freecap (disables replay prevention and ID regeneration)
76
77		Features:
78		- Selects storage backend (file or database)
79		- Configures cookie settings (security, path, httponly)
80		- Binds IP and TLS validation
81		- Recovers diagnostic logs from previous session
82
83		Example:
84		~~```~~php
	56	- ##$route## (int) - Routing flag:
	57	- Bit 2 (##$route & 2##): Enable static mode for files/freecap (disables replay prevention and ID regeneration)
	58
	59	Features:
	60	- Selects storage backend (file or database)
	61	- Configures cookie settings (security, path, httponly)
	62	- Binds IP and TLS validation
	63	- Recovers diagnostic logs from previous session
	64
	65	Example:
	66	%%php
85	67	$http->session(0); // Normal session
86	68	$http->session(2); // Static file serving mode
87		~~```~~
88
89		---
90
91		~~### Caching System~~
92
93		~~#### `check_cache($page, $method): void`~~
	69	%%
	70
	71	----
	72
	73	==== Caching System ====
	74
	75	===== ##check_cache($page, $method): void## =====
94	76	Determines if a page can be cached and prepares the cache check.
95	77
96	78	Parameters:
97		~~- `$page`~~ (string) - Page name to cache
98		~~- `$method`~~ (string) - Request method/action (e.g., 'show', 'edit')
	79	- ##$page## (string) - Page name to cache
	80	- ##$method## (string) - Request method/action (e.g., 'show', 'edit')
99	81
100	82	Caching Rules:
101		- ✅ Enabled for GET requests only
102		- ✅ Disabled for POST requests
103		- ❌ Never cached for 'edit' or 'watch' methods
104		- ✅ Only cached for anonymous users (no logged-in users)
105
106		Example:
107		~~```~~php
	83	- ✅ Enabled for GET requests only
	84	- ✅ Disabled for POST requests
	85	- ❌ Never cached for 'edit' or 'watch' methods
	86	- ✅ Only cached for anonymous users (no logged-in users)
	87
	88	Example:
	89	%%php
108	90	$http->check_cache('HomePage', 'show');
109		~~```~~
110
111		---
112
113		~~#### `store_cache(): void`~~
	91	%%
	92
	93	----
	94
	95	===== ##store_cache(): void## =====
114	96	Saves the generated page content to cache file.
115	97
116	98	Features:
117		- Retrieves output buffer content
118		- Saves to cache file with proper permissions
119		- Records cache metadata in database
120		- Only executes if caching flag is set and user is anonymous
121
122		Example:
123		~~```~~php
	99	- Retrieves output buffer content
	100	- Saves to cache file with proper permissions
	101	- Records cache metadata in database
	102	- Only executes if caching flag is set and user is anonymous
	103
	104	Example:
	105	%%php
124	106	// Called at end of page rendering
125	107	$http->store_cache();
126		~~```~~
127
128		---
129
130		~~#### `invalidate_page($page): int`~~
	108	%%
	109
	110	----
	111
	112	===== ##invalidate_page($page): int## =====
131	113	Invalidates all cached versions of a page.
132	114
133	115	Parameters:
134		~~- `$page`~~ (string) - Page name to invalidate
	116	- ##$page## (string) - Page name to invalidate
135	117
136	118	Returns:
137		- Number of cache entries invalidated
	119	- Number of cache entries invalidated
138	120
139	121	Process:
140		1. Finds all cached versions (different methods/languages)
141		2. Touches files to past timestamp (faster than deletion)
142		3. Removes entries from cache metadata table
143		4. Returns count of invalidated caches
144
145		Example:
146		~~```~~php
	122	1. Finds all cached versions (different methods/languages)
	123	2. Touches files to past timestamp (faster than deletion)
	124	3. Removes entries from cache metadata table
	125	4. Returns count of invalidated caches
	126
	127	Example:
	128	%%php
147	129	$count = $http->invalidate_page('HomePage');
148	130	echo "Invalidated $count cache entries";
149		~~```~~
150
151		---
152
153		~~### TLS/HTTPS Security~~
154
155		~~#### `secure_base_url(): void`~~
	131	%%
	132
	133	----
	134
	135	==== TLS/HTTPS Security ====
	136
	137	===== ##secure_base_url(): void## =====
156	138	Switches base URL from HTTP to HTTPS.
157	139
158	140	Purpose:
159		- Ensures all subsequent URLs use HTTPS
160		- Stores original HTTP URL for fallback
161		- Called when TLS session is detected
162
163		Example:
164		~~```~~php
	141	- Ensures all subsequent URLs use HTTPS
	142	- Stores original HTTP URL for fallback
	143	- Called when TLS session is detected
	144
	145	Example:
	146	%%php
165	147	$http->secure_base_url();
166	148	// $db->base_url now uses https://
167		~~```~~
168
169		---
170
171		~~#### `ensure_tls($url): void`~~
	149	%%
	150
	151	----
	152
	153	===== ##ensure_tls($url): void## =====
172	154	Enforces HTTPS for a specific URL and redirects if necessary.
173	155
174	156	Parameters:
175		~~- `$url`~~ (string) - URL to secure
	157	- ##$url## (string) - URL to secure
176	158
177	159	Behavior:
178		- If not already HTTPS and TLS is enabled, forces HTTPS redirect
179		- Handles both relative and absolute URLs
180		- Converts relative URLs using current server name
181
182		Example:
183		~~```~~php
	160	- If not already HTTPS and TLS is enabled, forces HTTPS redirect
	161	- Handles both relative and absolute URLs
	162	- Converts relative URLs using current server name
	163
	164	Example:
	165	%%php
184	166	$http->ensure_tls('/secure/payment');
185		~~```~~
186
187		---
188
189		~~### IP Address Detection~~
190
191		~~#### `real_ip(): string` (Private)~~
	167	%%
	168
	169	----
	170
	171	==== IP Address Detection ====
	172
	173	===== ##real_ip(): string## (Private) =====
192	174	Detects client's real IP address accounting for proxies.
193	175
194	176	Proxy Headers Checked (in order):
195		~~1. `HTTP_X_CLUSTER_CLIENT_IP`~~
196		~~2. `HTTP_X_FORWARDED_FOR`~~ (or custom header)
197		~~3. `HTTP_CLIENT_IP`~~
198		~~4. `HTTP_X_REMOTE_ADDR`~~
199		~~5. `REMOTE_ADDR`~~ (fallback)
200
201		Features:
202		- Filters out private/reserved IP ranges
203		- Respects configured reverse proxy addresses
204		~~- Returns `'0.0.0.0'`~~ as fallback
	177	1. ##HTTP_X_CLUSTER_CLIENT_IP##
	178	2. ##HTTP_X_FORWARDED_FOR## (or custom header)
	179	3. ##HTTP_CLIENT_IP##
	180	4. ##HTTP_X_REMOTE_ADDR##
	181	5. ##REMOTE_ADDR## (fallback)
	182
	183	Features:
	184	- Filters out private/reserved IP ranges
	185	- Respects configured reverse proxy addresses
	186	- Returns ##'0.0.0.0'## as fallback
205	187
206	188	Configuration in Database:
207		~~- `reverse_proxy_addresses`~~ - Comma/space-separated proxy IPs
208		~~- `reverse_proxy_header` - Custom header name (default: `X-Forwarded-For`~~)
209
210		Example:
211		~~```~~php
	189	- ##reverse_proxy_addresses## - Comma/space-separated proxy IPs
	190	- ##reverse_proxy_header## - Custom header name (default: ##X-Forwarded-For##)
	191
	192	Example:
	193	%%php
212	194	$client_ip = $http->ip; // e.g., "203.0.113.42"
213		~~```~~
214
215		---
216
217		~~### HTTPS Detection~~
218
219		~~#### `tls_session(): bool` (Private)~~
	195	%%
	196
	197	----
	198
	199	==== HTTPS Detection ====
	200
	201	===== ##tls_session(): bool## (Private) =====
220	202	Detects if current connection uses HTTPS/TLS.
221	203
222	204	Checks (any being true = HTTPS):
223		- `$_SERVER['HTTPS']` is 'on'
224		- `$_SERVER['SERVER_PORT']` is 443
225		- `$_SERVER['HTTP_X_FORWARDED_PROTO']` is 'https'
226		- `$_SERVER['HTTP_X_FORWARDED_SSL']` is 'on'
227		- `$_SERVER['HTTP_X_FORWARDED_PORT']` is 443
228
229		---
230
231		### Security Headers
232
233		#### `http_security_headers(): void`
234		Sets security-related HTTP headers.
235
236		Headers Set:
237
238		\| Header \| Purpose \| Config Key \|
239		\|--------\|---------\|------------\|
240		\| Content-Security-Policy \| XSS/injection protection \| `csp` \|
241		\| Permissions-Policy \| Control browser features \| `permissions_policy` \|
242		\| Referrer-Policy \| Control referrer information \| `referrer_policy` \|
243		\| Strict-Transport-Security \| Force HTTPS \| Auto (TLS only) \|
244		\| X-Frame-Options \| Clickjacking protection \| Hardcoded: `SAMEORIGIN` \|
245		\| X-Content-Type-Options \| MIME sniffing prevention \| Hardcoded: `nosniff` \|
246
247		CSP Configuration Options:
248		- `0` - Disabled
249		- `1` - Default policy (from `csp.conf`)
250		- `2` - Custom policy (from `csp_custom.conf`)
251
252		Example:
253		```php
254		$http->http_security_headers();
255		```
256
257		---
258
259		### HTTP Methods
260
261		#### `redirect($url, $permanent = false): void`
	205	- ##$_SERVER['HTTPS']## is 'on'
	206	- ##$_SERVER['SERVER_PORT']## is 443
	207	- ##$_SERVER['HTTP_X_FORWARDED_PROTO']## is 'https'
	208	- ##$_SERVER['HTTP_X_FORWARDED_SSL']## is 'on'
	209	- ##$_SERVER['HTTP_X_FORWARDED_PORT']## is 443
	210
	211	----
	212
	213	==== Security Headers ====
	214
	215	===== ##http_security_headers(): void## =====
	216
	217
	218	==== HTTP Methods ====
	219
	220	===== ##redirect($url, $permanent = false): void## =====
262	221	Performs an HTTP redirect.
263	222
264	223	Parameters:
265		~~- `$url`~~ (string) - Target URL
266		~~- `$permanent`~~ (bool) - Use 301 (permanent) vs 302 (temporary)
267
268		Features:
269		~~- Decodes `&`~~ entities to prevent broken redirects
270		- Only works if headers not yet sent
271		- Uses output buffering to work anywhere in page processing
272
273		Example:
274		~~```~~php
	224	- ##$url## (string) - Target URL
	225	- ##$permanent## (bool) - Use 301 (permanent) vs 302 (temporary)
	226
	227	Features:
	228	- Decodes ##&## entities to prevent broken redirects
	229	- Only works if headers not yet sent
	230	- Uses output buffering to work anywhere in page processing
	231
	232	Example:
	233	%%php
275	234	$http->redirect('http://example.com/new-page', true); // 301
276	235	$http->redirect('/wiki/HomePage'); // 302
277		~~```~~
278
279		---
280
281		~~#### `terminate(): void`~~
	236	%%
	237
	238	----
	239
	240	===== ##terminate(): void## =====
282	241	Safe exit/die with cleanup.
283	242
284	243	Cleanup Operations:
285		- Saves diagnostic logs to session flash data
286		- Ends script execution
287
288		Example:
289		~~```~~php
	244	- Saves diagnostic logs to session flash data
	245	- Ends script execution
	246
	247	Example:
	248	%%php
290	249	$http->terminate();
291		~~```~~
292
293		---
294
295		~~#### `status($code): void`~~
	250	%%
	251
	252	----
	253
	254	===== ##status($code): void## =====
296	255	Sets HTTP response status code.
297	256
298	257	Supported Status Codes:
299		~~```~~php
	258	%%php
300	259	200 => 'OK'
301	260	206 => 'Partial Content'
302	261	301 => 'Moved Permanently'
…	…	…
313	272	500 => 'Internal Server Error'
314	273	501 => 'Not Implemented'
315	274	503 => 'Service Unavailable'
316		~~```~~
317
318		Example:
319		~~```~~php
	275	%%
	276
	277	Example:
	278	%%php
320	279	$http->status(404); // Send 404 Not Found
321		~~```~~
322
323		---
324
325		~~### Caching Control~~
326
327		~~#### `no_cache($client_only = true): void`~~
	280	%%
	281
	282	----
	283
	284	==== Caching Control ====
	285
	286	===== ##no_cache($client_only = true): void## =====
328	287	Disables caching of the current page.
329	288
330	289	Parameters:
331		~~- `$client_only`~~ (bool, default: TRUE)
332		- ~~`TRUE`~~: Disable browser cache only
333		- ~~`FALSE`~~: Disable both browser and server cache
	290	- ##$client_only## (bool, default: TRUE)
	291	- ##TRUE##: Disable browser cache only
	292	- ##FALSE##: Disable both browser and server cache
334	293
335	294	Headers Set:
336		~~- `Last-Modified: <current-time>`~~ (always fresh)
337		~~- `Cache-Control: no-store`~~
338
339		Example:
340		~~```~~php
	295	- ##Last-Modified: <current-time>## (always fresh)
	296	- ##Cache-Control: no-store##
	297
	298	Example:
	299	%%php
341	300	$http->no_cache(); // Client-side only
342	301	$http->no_cache(false); // Both client & server
343		~~```~~
344
345		---
346
347		~~#### `cache_promisc(): void`~~
	302	%%
	303
	304	----
	305
	306	===== ##cache_promisc(): void## =====
348	307	Marks page as publicly cacheable.
349	308
350	309	Headers Set:
351		~~- `Cache-Control: public`~~
352
353		Example:
354		~~```~~php
	310	- ##Cache-Control: public##
	311
	312	Example:
	313	%%php
355	314	$http->cache_promisc();
356		~~```~~
357
358		---
359
360		~~### Language Negotiation~~
361
362		~~#### `user_agent_language(): string`~~
	315	%%
	316
	317	----
	318
	319	==== Language Negotiation ====
	320
	321	===== ##user_agent_language(): string## =====
363	322	Determines best language based on browser preferences.
364	323
365	324	Features:
366		- Follows RFC 9110 section 12.5.4 (HTTP Accept-Language)
367		~~- Parses `Accept-Language`~~ header with quality factors
368		- Attempts exact match first, then language fallback
369		- Falls back to default system language
	325	- Follows RFC 9110 section 12.5.4 (HTTP Accept-Language)
	326	- Parses ##Accept-Language## header with quality factors
	327	- Attempts exact match first, then language fallback
	328	- Falls back to default system language
370	329
371	330	Example Header:
372		~~```~~
	331	%%
373	332	Accept-Language: en-US,en;q=0.9,de;q=0.8
374		~~```~~
	333	%%
375	334
376	335	Returns:
377		- Language code (e.g., 'en', 'en-US', 'de')
378
379		---
380
381		~~#### `available_languages($subset = true): array`~~
	336	- Language code (e.g., 'en', 'en-US', 'de')
	337
	338	----
	339
	340	===== ##available_languages($subset = true): array## =====
382	341	Returns list of available language translations.
383	342
384	343	Parameters:
385		~~- `$subset`~~ (bool, default: TRUE)
386		- ~~`TRUE`~~: Only allowed languages
387		- ~~`FALSE`~~: All available languages
388
389		Features:
390		~~- Scans `LANG_DIR`~~ for language files
391		~~- Filters by `allowed_languages`~~ config if set
392		- Caches result in session
393		- System language always included
	344	- ##$subset## (bool, default: TRUE)
	345	- ##TRUE##: Only allowed languages
	346	- ##FALSE##: All available languages
	347
	348	Features:
	349	- Scans ##LANG_DIR## for language files
	350	- Filters by ##allowed_languages## config if set
	351	- Caches result in session
	352	- System language always included
394	353
395	354	Returns:
396		~~- Associative array: `['en' => 'en', 'de' => 'de', ...]`~~
397
398		Example:
399		~~```~~php
	355	- Associative array: ##['en' => 'en', 'de' => 'de', ...]##
	356
	357	Example:
	358	%%php
400	359	$all_langs = $http->available_languages(false);
401	360	$allowed = $http->available_languages(true);
402		~~```~~
403
404		---
405
406		~~### File Serving~~
407
408		~~#### `sendfile($path, $filename = null, $age = null): void`~~
	361	%%
	362
	363	----
	364
	365	==== File Serving ====
	366
	367	===== ##sendfile($path, $filename = null, $age = null): void## =====
409	368	Serves files with proper HTTP headers and caching.
410	369
411	370	Parameters:
412		~~- `$path`~~ (string) - File path (or HTTP_XXX constant for error pages)
413		~~- `$filename`~~ (string, optional) - Custom download filename
414		~~- `$age`~~ (int, optional) - Cache age in days
415
416		Features:
417		- HTTP range request support (partial file downloads)
418		- ETag and Last-Modified conditional requests
419		- Proper MIME type detection
420		- Content-Security-Policy for special file types
421		- Streaming for large files
422		- GZip compression for text files
	371	- ##$path## (string) - File path (or HTTP_XXX constant for error pages)
	372	- ##$filename## (string, optional) - Custom download filename
	373	- ##$age## (int, optional) - Cache age in days
	374
	375	Features:
	376	- HTTP range request support (partial file downloads)
	377	- ETag and Last-Modified conditional requests
	378	- Proper MIME type detection
	379	- Content-Security-Policy for special file types
	380	- Streaming for large files
	381	- GZip compression for text files
423	382
424	383	Special Paths:
425		~~```~~php
	384	%%php
426	385	$http->sendfile(404); // Serves file defined by HTTP_404 constant
427	386	$http->sendfile(403); // Serves file defined by HTTP_403 constant
428		~~```~~
429
430		Example:
431		~~```~~php
	387	%%
	388
	389	Example:
	390	%%php
432	391	$http->sendfile('uploads/document.pdf', 'my-document.pdf', 30);
433		~~```~~
434
435		---
436
437		~~#### `mime_type($path): string`~~
	392	%%
	393
	394	----
	395
	396	===== ##mime_type($path): string## =====
438	397	Returns MIME type for a file.
439	398
440	399	Returns:
441		- MIME type string (e.g., 'application/pdf')
442		~~- Default: `'application/octet-stream'`~~
443
444		Example:
445		~~```~~php
	400	- MIME type string (e.g., 'application/pdf')
	401	- Default: ##'application/octet-stream'##
	402
	403	Example:
	404	%%php
446	405	$mime = $http->mime_type('file.pdf'); // 'application/pdf'
447		~~```~~
448
449		---
450
451		~~#### `mime_types(): array` (Private)~~
	406	%%
	407
	408	----
	409
	410	===== ##mime_types(): array## (Private) =====
452	411	Loads and caches MIME types from configuration.
453	412
454	413	Features:
455		~~- Reads from `config/mime.types`~~
456		~~- Caches to `cache/config/mime.types`~~
457		- Reloads if config is updated
458
459		---
460
461		~~### Compression~~
462
463		~~#### `gzip(): void`~~
	414	- Reads from ##config/mime.types##
	415	- Caches to ##cache/config/mime.types##
	416	- Reloads if config is updated
	417
	418	----
	419
	420	==== Compression ====
	421
	422	===== ##gzip(): void## =====
464	423	Compresses HTTP response with gzip/x-gzip.
465	424
466	425	Features:
467		- Manually implements gzip (not relying on zlib.output_compression)
468		~~- Produces correct `Content-Length`~~ header
469		- Only compresses if:
	426	- Manually implements gzip (not relying on zlib.output_compression)
	427	- Produces correct ##Content-Length## header
	428	- Only compresses if:
470	429	- 860 bytes < content < 1 MB
471	430	- Client accepts compression
472	431	- Headers not already sent
473	432
474	433	Example:
475		~~```~~php
	434	%%php
476	435	$http->gzip();
477		~~```~~
478
479		---
480
481		~~### Utility Methods~~
482
483		~~#### `parse_str($str): array` (Private)~~
	436	%%
	437
	438	----
	439
	440	==== Utility Methods ====
	441
	442	===== ##parse_str($str): array## (Private) =====
484	443	Parses URL-encoded strings with special character handling.
485	444
486	445	Purpose:
487		- Safely handles special characters in query/form data
488		- Converts encoding properly
489
490		Example:
491		~~```~~php
	446	- Safely handles special characters in query/form data
	447	- Converts encoding properly
	448
	449	Example:
	450	%%php
492	451	$data = $http->parse_str('name=John&age=30');
493		~~```~~
494
495		---
496
497		~~#### `request_uri(): string` (Private)~~
	452	%%
	453
	454	----
	455
	456	===== ##request_uri(): string## (Private) =====
498	457	Extracts and normalizes REQUEST_URI from server.
499	458
500	459	Normalization:
501		- Removes base URL prefix
502		- Removes spaces
503		- Collapses multiple slashes
504		~~- Removes `..`~~ path traversal attempts
505		- Removes leading/trailing slashes
506
507		---
508
509		~~#### `cut_prefix($prefix, $path): string` (Private)~~
	460	- Removes base URL prefix
	461	- Removes spaces
	462	- Collapses multiple slashes
	463	- Removes ##..## path traversal attempts
	464	- Removes leading/trailing slashes
	465
	466	----
	467
	468	===== ##cut_prefix($prefix, $path): string## (Private) =====
510	469	Removes prefix from path (case-insensitive).
511	470
512		---
513
514		~~#### `get_header_conf($file_name): string` (Private)~~
	471	----
	472
	473	===== ##get_header_conf($file_name): string## (Private) =====
515	474	Loads security header configuration from files.
516	475
517	476	Files Supported:
518		- `csp.conf` / `csp_custom.conf`
519		- `permissions_policy.conf` / `permissions_policy_custom.conf`
520
521		---
522
523		## Configuration Dependencies
524
525		The class relies on these database configuration settings:
526
527		\| Setting \| Type \| Purpose \|
528		\|---------\|------\|---------\|
529		\| `base_url` \| string \| Wiki's base URL \|
530		\| `tls` \| bool \| Enable HTTPS enforcement \|
531		\| `cache` \| bool \| Enable page caching \|
532		\| `cache_ttl` \| int \| Cache lifetime in seconds \|
533		\| `session_store` \| int \| 1=File, 0=Database \|
534		\| `system_seed_hash` \| string \| Session encryption seed \|
535		\| `cookie_prefix` \| string \| Session cookie prefix \|
536		\| `cookie_path` \| string \| Cookie path \|
537		\| `allow_persistent_cookie` \| bool \| Allow persistent login \|
538		\| `session_length` \| int \| Session lifetime in seconds \|
539		\| `reverse_proxy_addresses` \| string \| Comma/space-separated proxy IPs \|
540		\| `reverse_proxy_header` \| string \| Custom X-Forwarded header \|
541		\| `language` \| string \| Default language code \|
542		\| `multilanguage` \| bool \| Enable language negotiation \|
543		\| `allowed_languages` \| string \| Comma/space-separated allowed langs \|
544		\| `enable_security_headers` \| bool \| Send security headers \|
545		\| `csp` \| int \| CSP setting (0/1/2) \|
546		\| `permissions_policy` \| int \| Permissions-Policy setting (0/1/2) \|
547		\| `referrer_policy` \| int \| Referrer-Policy setting (0-8) \|
548
549		---
550
551		## Constants Used
552
553		\| Constant \| Type \| Purpose \|
554		\|----------\|------\|---------\|
555		\| `IN_WACKO` \| bool \| Security check (exit if not defined) \|
556		\| `CHMOD_SAFE` \| int \| File permissions for cache files \|
557		\| `CHMOD_FILE` \| int \| File permissions for config cache \|
558		\| `CACHE_PAGE_DIR` \| string \| Page cache directory \|
559		\| `CACHE_SESSION_DIR` \| string \| Session cache directory \|
560		\| `CACHE_CONFIG_DIR` \| string \| Config cache directory \|
561		\| `CONFIG_DIR` \| string \| Configuration directory \|
562		\| `LANG_DIR` \| string \| Language files directory \|
563		\| `DAYSECS` \| int \| Seconds in a day (86400) \|
564		\| `HTTP_404` \| string \| Path to 404 error page \|
565		\| `HTTP_403` \| string \| Path to 403 error page \|
566
567		---
568
569		## Workflow Examples
570
571		### Example 1: Handling a GET Request
572
573		```php
	477	- ##csp.conf## / ##csp_custom.conf##
	478	- ##permissions_policy.conf## / ##permissions_policy_custom.conf##
	479
	480	----
	481
	482	=== Configuration Dependencies ===
	483
	484
	485
	486	=== Constants Used ===
	487
	488
	489
	490	=== Workflow Examples ===
	491
	492	==== Example 1: Handling a GET Request ====
	493
	494	%%php
574	495	// In main wiki entry point
575	496	$http = new Http($db);
576	497	$http->session(0); // Start session
…	…	…
588	509
589	510	// Possibly compress output
590	511	$http->gzip();
591		~~```~~
592
593		~~### Example 2: Handling TLS/HTTPS Upgrade~~
594
595		~~```~~php
	512	%%
	513
	514	==== Example 2: Handling TLS/HTTPS Upgrade ====
	515
	516	%%php
596	517	$http = new Http($db); // Constructor detects TLS requirement
597	518	// If TLS is enabled and user wasn't in TLS before:
598	519	// - Sets TLS session flag
599	520	// - Marks session with TLS cookie
600	521	// - Redirects to HTTPS version
601		~~```~~
602
603		~~### Example 3: Invalidating Cache After Page Edit~~
604
605		~~```~~php
	522	%%
	523
	524	==== Example 3: Invalidating Cache After Page Edit ====
	525
	526	%%php
606	527	// User edits a page
607	528	$http = new Http($db);
608	529	$count = $http->invalidate_page('HomePage');
609	530	// All cached versions (different languages, methods) are invalidated
610		~~```~~
611
612		~~### Example 4: Serving a File~~
613
614		~~```~~php
	531	%%
	532
	533	==== Example 4: Serving a File ====
	534
	535	%%php
615	536	$http = new Http($db);
616	537	$http->session(2); // Static file mode - no session replay prevention
617	538
618	539	// Serve with 30-day cache
619	540	$http->sendfile('uploads/manual.pdf', 'user-manual.pdf', 30);
620		~~```~~
621
622		---
623
624		~~## Security Considerations~~
625
626		### 1. IP Address Spoofing
627		- Validates IPs against private ranges
628		- Filters proxy-provided IPs appropriately
629		- Configurable reverse proxy trust
630
631		### 2. Session Security
632		- Binds sessions to IP address
633		- Binds sessions to TLS status
634		- Supports both file and database storage
635		- HttpOnly cookies by default
636
637		### 3. TLS Enforcement
638		- Automatic HTTPS upgrade when configured
639		- Marks TLS sessions to prevent downgrade attacks
640		- HSTS header support
641
642		### 4. Content Security
643		- CSP headers to prevent XSS
644		- X-Frame-Options to prevent clickjacking
645		- X-Content-Type-Options to prevent MIME sniffing
646		- Referrer-Policy control
647		- Permissions-Policy for browser features
648
649		### 5. File Serving
650		- Validates file existence and readability
651		~~- Prevents directory traversal via `realpath()`~~
652		- Rejects symbolic links
653		- Special CSP for SVG and PDF files
654
655		### 6. Cache Security
656		- Cached only for anonymous users
657		- Disabled for sensitive operations (edit, watch)
658		- Only GET requests cached
659
660		---
661
662		~~## Performance Optimization~~
663
664		### 1. Page Caching
665		- Stores full HTML output
666		- TTL-based expiration
667		- Language and method-aware caching
668		- Conditional request support (304 Not Modified)
669
670		### 2. MIME Type Caching
671		- Loads MIME types once and caches
672		- Regenerates only when config changes
673
674		### 3. Session Options
675		- File-based sessions for simple deployments
676		- Database sessions for distributed systems
677
678		### 4. Compression
679		- Manual gzip implementation
680		- Proper Content-Length generation
681		- Only compresses appropriate sizes
682
683		---
684
685		~~## Debugging~~
	541	%%
	542
	543	----
	544
	545	=== Security Considerations ===
	546
	547	==== 1. IP Address Spoofing ====
	548	- Validates IPs against private ranges
	549	- Filters proxy-provided IPs appropriately
	550	- Configurable reverse proxy trust
	551
	552	==== 2. Session Security ====
	553	- Binds sessions to IP address
	554	- Binds sessions to TLS status
	555	- Supports both file and database storage
	556	- HttpOnly cookies by default
	557
	558	==== 3. TLS Enforcement ====
	559	- Automatic HTTPS upgrade when configured
	560	- Marks TLS sessions to prevent downgrade attacks
	561	- HSTS header support
	562
	563	==== 4. Content Security ====
	564	- CSP headers to prevent XSS
	565	- X-Frame-Options to prevent clickjacking
	566	- X-Content-Type-Options to prevent MIME sniffing
	567	- Referrer-Policy control
	568	- Permissions-Policy for browser features
	569
	570	==== 5. File Serving ====
	571	- Validates file existence and readability
	572	- Prevents directory traversal via ##realpath()##
	573	- Rejects symbolic links
	574	- Special CSP for SVG and PDF files
	575
	576	==== 6. Cache Security ====
	577	- Cached only for anonymous users
	578	- Disabled for sensitive operations (edit, watch)
	579	- Only GET requests cached
	580
	581	----
	582
	583	=== Performance Optimization ===
	584
	585	==== 1. Page Caching ====
	586	- Stores full HTML output
	587	- TTL-based expiration
	588	- Language and method-aware caching
	589	- Conditional request support (304 Not Modified)
	590
	591	==== 2. MIME Type Caching ====
	592	- Loads MIME types once and caches
	593	- Regenerates only when config changes
	594
	595	==== 3. Session Options ====
	596	- File-based sessions for simple deployments
	597	- Database sessions for distributed systems
	598
	599	==== 4. Compression ====
	600	- Manual gzip implementation
	601	- Proper Content-Length generation
	602	- Only compresses appropriate sizes
	603
	604	----
	605
	606	=== Debugging ===
686	607
687	608	The class integrates with WackoWiki's diagnostic system:
688	609
689		~~```~~php
	610	%%php
690	611	// Diagnostic messages are preserved across redirects
691	612	// via session flash data
692	613
693	614	// Check cached pages (debug comments in output):
694	615	// <!-- WackoWiki Caching Engine: page cached at 2024-01-15 12:30:45 GMT -->
695		```
696
697		---
698
699		## Related Classes
700
701		- Session Classes (`SessionFileStore`, `SessionDbalStore`) - Session management backends
702		- Database Class - Configuration and cache metadata storage
703		- Ut Utility Class - String/path utilities
704		- Diag Class - Diagnostic logging
705
706		---
707
708		## Version History
709
710		- Supports PHP 8.0+ (uses match expressions, union types)
711		- Follows RFC 9110 for HTTP header handling
712		- Modern cookie security practices
713
714		---
715
716		## Conclusion
717
718		The `Http` class is the central request/response handler in WackoWiki, managing everything from session initialization to security headers to file serving. Understanding this class is essential for:
719
720		- Extending WackoWiki with custom request handlers
721		- Implementing custom session logic
722		- Adding new security policies
723		- Optimizing cache strategies
724		- Debugging HTTP-related issues
	616	%%
	617
	618	----
	619
	620	=== Related Classes ===
	621	- Session Classes (##SessionFileStore##, ##SessionDbalStore##) - Session management backends
	622	- Database Class - Configuration and cache metadata storage
	623	- Ut Utility Class - String/path utilities
	624	- Diag Class - Diagnostic logging
	625
	626	----
	627
	628	=== Version History ===
	629	- Supports PHP 8.0+ (uses match expressions, union types)
	630	- Follows RFC 9110 for HTTP header handling
	631	- Modern cookie security practices
	632
	633	----
	634
	635	=== Conclusion ===
	636
	637	The ##Http## class is the central request/response handler in WackoWiki, managing everything from session initialization to security headers to file serving. Understanding this class is essential for:
	638	- Extending WackoWiki with custom request handlers
	639	- Implementing custom session logic
	640	- Adding new security policies
	641	- Optimizing cache strategies
	642	- Debugging HTTP-related issues