Difference between revisions for Users / Eo Ny / dev




← Previous edit
Revision 3 as of 05/05/2026 19:10
14 05/17/2026 21:10 WikiAdmin 13 05/05/2026 19:29 EoNy 12 05/05/2026 19:28 WikiAdmin 11 05/05/2026 19:28 WikiAdmin 10 05/05/2026 19:27 WikiAdmin 9 05/05/2026 19:25 WikiAdmin 8 05/05/2026 19:24 WikiAdmin 7 05/05/2026 19:23 WikiAdmin 6 05/05/2026 19:21 EoNy 5 05/05/2026 19:11 EoNy 4 05/05/2026 19:10 EoNy 3 05/05/2026 19:10 EoNy 2 05/05/2026 19:08 EoNy 1 05/05/2026 19:06 EoNy

(17.4 KiB)
EoNy
 Next edit →
Revision 15 as of 05/18/2026 05:04
18 05/21/2026 16:12 WikiAdmin 17 05/18/2026 15:15 WikiAdmin 16 05/18/2026 05:05 WikiAdmin 15 05/18/2026 05:04 WikiAdmin 14 05/17/2026 21:10 WikiAdmin 13 05/05/2026 19:29 EoNy 12 05/05/2026 19:28 WikiAdmin 11 05/05/2026 19:28 WikiAdmin 10 05/05/2026 19:27 WikiAdmin 9 05/05/2026 19:25 WikiAdmin 8 05/05/2026 19:24 WikiAdmin 7 05/05/2026 19:23 WikiAdmin 6 05/05/2026 19:21 EoNy 5 05/05/2026 19:11 EoNy 4 05/05/2026 19:10 EoNy

(18.3 KiB) +934
WikiAdmin

Version1 Version2 Differences
1   # HTTP Class Technical Documentation
2  
3   ## Overview
4  
5   The `Http` class (`src/class/http.php`) is a core component of the WackoWiki system responsible for handling HTTP request/response processing, session management, caching, and security features. This class acts as a bridge between the web server and the wiki engine.
6  
7   **File Location:** `src/class/http.php`
  1 == HTTP Class Technical Documentation ==
  2
  3 {{toc numerate=1}}
  4 === Overview ===
  5
  6 The ##Http## class (##src/class/http.php##) is a core component of the WackoWiki system responsible for handling HTTP request/response processing, session management, caching, and security features. This class acts as a bridge between the web server and the wiki engine.
  7
  8 **File Location:** ##src/class/http.php##
8 9 **Language:** PHP
9   **Dependencies:** Database class, Session classes, Utility classes (`Ut`), Diagnostics class (`Diag`)
10  
11   ---
12  
13   ## Class Properties
14  
15   ### Public Properties
16  
17   | Property | Type | Description |
18   |----------|------|-------------|
19   | `$tls_session` | bool | Indicates if the current session uses HTTPS/TLS encryption |
20   | `$request_uri` | string | Normalized REQUEST_URI (e.g., 'PageOfNoReturn/show?a=1') |
21   | `$ip` | string | Client's real IP address (accounts for proxies) |
22   | `$sess` | Session | Reference to the Session object |
23   | `$method` | string | Current HTTP method/request type |
24  
25   ### Private Properties
26  
27   | Property | Type | Description |
28   |----------|------|-------------|
29   | `$db` | object | Database connection reference |
30   | `$tls_mark` | string | Cookie name for TLS session marking |
31   | `$page` | string | Current page name being processed |
32   | `$hash` | string | SHA1 hash of the page name |
33   | `$query` | string | Encoded query string |
34   | `$lang` | string | Current language code |
35   | `$file` | string | Cache file path |
36   | `$caching` | int | Flag indicating if page should be cached (0 or 1) |
37  
38   ---
39  
40   ## Constructor
41  
42   ```php
  10 **Dependencies:** Database class, Session classes, Utility classes (##Ut##), Diagnostics class (##Diag##)
  11
  12 ----
  13
  14 === Class Properties ===
  15
  16 ====Public Properties====
  17
  18 #|
  19 *| Property | Type | Description |*
  20 || ##$tls_session## | bool | Indicates if the current session uses HTTPS/TLS encryption ||
  21 || ##$request_uri## | string | Normalized REQUEST_URI (e.g., 'PageOfNoReturn/show?a=1') ||
  22 || ##$ip## | string | Client's real IP address (accounts for proxies) ||
  23 || ##$sess## | Session | Reference to the Session object ||
  24 || ##$method## | string | Current HTTP method/request type ||
  25 |#
  26
  27 ====Private Properties====
  28
  29 #|
  30 *| Property | Type | Description |*
  31 || ##$db## | object | Database connection reference ||
  32 || ##$tls_mark## | string | Cookie name for TLS session marking ||
  33 || ##$page## | string | Current page name being processed ||
  34 || ##$hash## | string | SHA1 hash of the page name ||
  35 || ##$query## | string | Encoded query string ||
  36 || ##$lang## | string | Current language code ||
  37 || ##$file## | string | Cache file path ||
  38 || ##$caching## | int | Flag indicating if page should be cached (0 or 1) ||
  39 |#
  40
  41 ----
  42 === Constructor ===
  43
  44 %%php
43 45 public function __construct(&$db)
44   ```
  46 %%
45 47
46 48 **Purpose:** Initializes the Http object and sets up HTTP session handling.
47 49
48 50 **Parameters:**
49   - `$db` - Database object reference
  51   - ##$db## - Database object reference
50 52
51 53 **Initialization Steps:**
52   1. Stores database reference
53   2. Extracts and normalizes REQUEST_URI
54   3. Detects TLS/HTTPS session status
55   4. Determines client's real IP address
56   5. Sets up TLS mark cookie name
57   6. Enforces TLS session upgrade if needed
58  
59   **Example:**
60   ```php
  54   1. Stores database reference
  55   2. Extracts and normalizes REQUEST_URI
  56   3. Detects TLS/HTTPS session status
  57   4. Determines client's real IP address
  58   5. Sets up TLS mark cookie name
  59   6. Enforces TLS session upgrade if needed
  60
  61 **Example:**
  62 %%php
61 63 $http = new Http($db);
62   ```
63  
64   ---
65  
66   ## Core Methods
67  
68   ### Session Management
69  
70   #### `session($route): void`
  64 %%
  65
  66 ----
  67
  68 === Core Methods ===
  69
  70 ==== Session Management ====
  71
  72 ===== ##session($route): void## =====
71 73 Initializes the session handler (file-based or database-based).
72 74
73 75 **Parameters:**
74   - `$route` (int) - Routing flag:
75     - Bit 2 (`$route & 2`): Enable static mode for files/freecap (disables replay prevention and ID regeneration)
76  
77   **Features:**
78   - Selects storage backend (file or database)
79   - Configures cookie settings (security, path, httponly)
80   - Binds IP and TLS validation
81   - Recovers diagnostic logs from previous session
82  
83   **Example:**
84   ```php
  76   - ##$route## (int) - Routing flag:
  77   - Bit 2 (##$route & 2##): Enable static mode for files/freecap (disables replay prevention and ID regeneration)
  78
  79 **Features:**
  80   - Selects storage backend (file or database)
  81   - Configures cookie settings (security, path, httponly)
  82   - Binds IP and TLS validation
  83   - Recovers diagnostic logs from previous session
  84
  85 **Example:**
  86 %%php
85 87 $http->session(0); // Normal session
86 88 $http->session(2); // Static file serving mode
87   ```
88  
89   ---
90  
91   ### Caching System
92  
93   #### `check_cache($page, $method): void`
  89 %%
  90
  91 ----
  92
  93 ==== Caching System ====
  94
  95 ===== ##check_cache($page, $method): void## =====
94 96 Determines if a page can be cached and prepares the cache check.
95 97
96 98 **Parameters:**
97   - `$page` (string) - Page name to cache
98   - `$method` (string) - Request method/action (e.g., 'show', 'edit')
  99   - ##$page## (string) - Page name to cache
  100   - ##$method## (string) - Request method/action (e.g., 'show', 'edit')
99 101
100 102 **Caching Rules:**
101   - ✅ Enabled for GET requests only
102   - ✅ Disabled for POST requests
103   - ❌ Never cached for 'edit' or 'watch' methods
104   - ✅ Only cached for anonymous users (no logged-in users)
105  
106   **Example:**
107   ```php
  103   - ✅ Enabled for GET requests only
  104   - ✅ Disabled for POST requests
  105   - ❌ Never cached for 'edit' or 'watch' methods
  106   - ✅ Only cached for anonymous users (no logged-in users)
  107
  108 **Example:**
  109 %%php
108 110 $http->check_cache('HomePage', 'show');
109   ```
110  
111   ---
112  
113   #### `store_cache(): void`
  111 %%
  112
  113 ----
  114
  115 =====##store_cache(): void##=====
114 116 Saves the generated page content to cache file.
115 117
116 118 **Features:**
117   - Retrieves output buffer content
118   - Saves to cache file with proper permissions
119   - Records cache metadata in database
120   - Only executes if caching flag is set and user is anonymous
121  
122   **Example:**
123   ```php
  119   - Retrieves output buffer content
  120   - Saves to cache file with proper permissions
  121   - Records cache metadata in database
  122   - Only executes if caching flag is set and user is anonymous
  123
  124 **Example:**
  125 %%(hl php)
124 126 // Called at end of page rendering
125 127 $http->store_cache();
126   ```
127  
128   ---
129  
130   #### `invalidate_page($page): int`
  128 %%
  129
  130 ----
  131
  132 ===== ##invalidate_page($page): int## =====
131 133 Invalidates all cached versions of a page.
132 134
133 135 **Parameters:**
134   - `$page` (string) - Page name to invalidate
  136   - ##$page## (string) - Page name to invalidate
135 137
136 138 **Returns:**
137   - Number of cache entries invalidated
  139   - Number of cache entries invalidated
138 140
139 141 **Process:**
140   1. Finds all cached versions (different methods/languages)
141   2. Touches files to past timestamp (faster than deletion)
142   3. Removes entries from cache metadata table
143   4. Returns count of invalidated caches
144  
145   **Example:**
146   ```php
  142   1. Finds all cached versions (different methods/languages)
  143   2. Touches files to past timestamp (faster than deletion)
  144   3. Removes entries from cache metadata table
  145   4. Returns count of invalidated caches
  146
  147 **Example:**
  148 %%php
147 149 $count = $http->invalidate_page('HomePage');
148 150 echo "Invalidated $count cache entries";
149   ```
150  
151   ---
152  
153   ### TLS/HTTPS Security
154  
155   #### `secure_base_url(): void`
  151 %%
  152
  153 ----
  154
  155 ==== TLS/HTTPS Security ====
  156
  157 ===== ##secure_base_url(): void## =====
156 158 Switches base URL from HTTP to HTTPS.
157 159
158 160 **Purpose:**
159   - Ensures all subsequent URLs use HTTPS
160   - Stores original HTTP URL for fallback
161   - Called when TLS session is detected
162  
163   **Example:**
164   ```php
  161   - Ensures all subsequent URLs use HTTPS
  162   - Stores original HTTP URL for fallback
  163   - Called when TLS session is detected
  164
  165 **Example:**
  166 %%php
165 167 $http->secure_base_url();
166 168 // $db->base_url now uses https://
167   ```
168  
169   ---
170  
171   #### `ensure_tls($url): void`
  169 %%
  170
  171 ----
  172
  173 ===== ##ensure_tls($url): void## =====
172 174 Enforces HTTPS for a specific URL and redirects if necessary.
173 175
174 176 **Parameters:**
175   - `$url` (string) - URL to secure
  177   - ##$url## (string) - URL to secure
176 178
177 179 **Behavior:**
178   - If not already HTTPS and TLS is enabled, forces HTTPS redirect
179   - Handles both relative and absolute URLs
180   - Converts relative URLs using current server name
181  
182   **Example:**
183   ```php
  180   - If not already HTTPS and TLS is enabled, forces HTTPS redirect
  181   - Handles both relative and absolute URLs
  182   - Converts relative URLs using current server name
  183
  184 **Example:**
  185 %%php
184 186 $http->ensure_tls('/secure/payment');
185   ```
186  
187   ---
188  
189   ### IP Address Detection
190  
191   #### `real_ip(): string` (Private)
  187 %%
  188
  189 ----
  190
  191 ==== IP Address Detection ====
  192
  193 ===== ##real_ip(): string## (Private) =====
192 194 Detects client's real IP address accounting for proxies.
193 195
194 196 **Proxy Headers Checked (in order):**
195   1. `HTTP_X_CLUSTER_CLIENT_IP`
196   2. `HTTP_X_FORWARDED_FOR` (or custom header)
197   3. `HTTP_CLIENT_IP`
198   4. `HTTP_X_REMOTE_ADDR`
199   5. `REMOTE_ADDR` (fallback)
200  
201   **Features:**
202   - Filters out private/reserved IP ranges
203   - Respects configured reverse proxy addresses
204   - Returns `'0.0.0.0'` as fallback
  197   1. ##HTTP_X_CLUSTER_CLIENT_IP##
  198   2. ##HTTP_X_FORWARDED_FOR## (or custom header)
  199   3. ##HTTP_CLIENT_IP##
  200   4. ##HTTP_X_REMOTE_ADDR##
  201   5. ##REMOTE_ADDR## (fallback)
  202
  203 **Features:**
  204   - Filters out private/reserved IP ranges
  205   - Respects configured reverse proxy addresses
  206   - Returns ##'0.0.0.0'## as fallback
205 207
206 208 **Configuration in Database:**
207   - `reverse_proxy_addresses` - Comma/space-separated proxy IPs
208   - `reverse_proxy_header` - Custom header name (default: `X-Forwarded-For`)
209  
210   **Example:**
211   ```php
  209   - ##reverse_proxy_addresses## - Comma/space-separated proxy IPs
  210   - ##reverse_proxy_header## - Custom header name (default: ##X-Forwarded-For##)
  211
  212 **Example:**
  213 %%php
212 214 $client_ip = $http->ip; // e.g., "203.0.113.42"
213   ```
214  
215   ---
216  
217   ### HTTPS Detection
218  
219   #### `tls_session(): bool` (Private)
  215 %%
  216
  217 ----
  218
  219 ==== HTTPS Detection ====
  220
  221 ===== ##tls_session(): bool## (Private) =====
220 222 Detects if current connection uses HTTPS/TLS.
221 223
222 224 **Checks (any being true = HTTPS):**
223   - `$_SERVER['HTTPS']` is 'on'
224   - `$_SERVER['SERVER_PORT']` is 443
225   - `$_SERVER['HTTP_X_FORWARDED_PROTO']` is 'https'
226   - `$_SERVER['HTTP_X_FORWARDED_SSL']` is 'on'
227   - `$_SERVER['HTTP_X_FORWARDED_PORT']` is 443
228  
229   ---
230  
231   ### Security Headers
232  
233   #### `http_security_headers(): void`
  225   - ##$_SERVER['HTTPS']## is 'on'
  226   - ##$_SERVER['SERVER_PORT']## is 443
  227   - ##$_SERVER['HTTP_X_FORWARDED_PROTO']## is 'https'
  228   - ##$_SERVER['HTTP_X_FORWARDED_SSL']## is 'on'
  229   - ##$_SERVER['HTTP_X_FORWARDED_PORT']## is 443
  230
  231 ----
  232
  233 ==== Security Headers ====
  234
  235 =====##http_security_headers(): void##=====
  236
234 237 Sets security-related HTTP headers.
235 238
236 239 **Headers Set:**
237 240
238   | Header | Purpose | Config Key |
239   |--------|---------|------------|
240   | Content-Security-Policy | XSS/injection protection | `csp` |
241   | Permissions-Policy | Control browser features | `permissions_policy` |
242   | Referrer-Policy | Control referrer information | `referrer_policy` |
243   | Strict-Transport-Security | Force HTTPS | Auto (TLS only) |
244   | X-Frame-Options | Clickjacking protection | Hardcoded: `SAMEORIGIN` |
245   | X-Content-Type-Options | MIME sniffing prevention | Hardcoded: `nosniff` |
  241 #|
  242 *| Header | Purpose | Config Key |*
  243 || Content-Security-Policy | XSS/injection protection | ##csp## ||
  244 || Permissions-Policy | Control browser features | ##permissions_policy## ||
  245 || Referrer-Policy | Control referrer information | ##referrer_policy## ||
  246 || Strict-Transport-Security | Force HTTPS | Auto (TLS only) ||
  247 || X-Frame-Options | Clickjacking protection | Hardcoded: ##SAMEORIGIN## ||
  248 || X-Content-Type-Options | MIME sniffing prevention | Hardcoded: ##nosniff## ||
  249 |#
246 250
247 251 **CSP Configuration Options:**
248   - `0` - Disabled
249   - `1` - Default policy (from `csp.conf`)
250   - `2` - Custom policy (from `csp_custom.conf`)
251  
252   **Example:**
253   ```php
  252   - ##0## - Disabled
  253   - ##1## - Default policy (from ##csp.conf##)
  254   - ##2## - Custom policy (from ##csp_custom.conf##)
  255
  256 **Example:**
  257 %%php
254 258 $http->http_security_headers();
255   ```
256  
257   ---
258  
259   ### HTTP Methods
260  
261   #### `redirect($url, $permanent = false): void`
  259 %%
  260
  261 ----
  262 ==== HTTP Methods ====
  263
  264 ===== ##redirect($url, $permanent = false): void## =====
262 265 Performs an HTTP redirect.
263 266
264 267 **Parameters:**
265   - `$url` (string) - Target URL
266   - `$permanent` (bool) - Use 301 (permanent) vs 302 (temporary)
267  
268   **Features:**
269   - Decodes `&` entities to prevent broken redirects
270   - Only works if headers not yet sent
271   - Uses output buffering to work anywhere in page processing
272  
273   **Example:**
274   ```php
  268   - ##$url## (string) - Target URL
  269   - ##$permanent## (bool) - Use 301 (permanent) vs 302 (temporary)
  270
  271 **Features:**
  272   - Decodes ##&## entities to prevent broken redirects
  273   - Only works if headers not yet sent
  274   - Uses output buffering to work anywhere in page processing
  275
  276 **Example:**
  277 %%php
275 278 $http->redirect('http://example.com/new-page', true); // 301
276 279 $http->redirect('/wiki/HomePage'); // 302
277   ```
278  
279   ---
280  
281   #### `terminate(): void`
  280 %%
  281
  282 ----
  283
  284 ===== ##terminate(): void## =====
282 285 Safe exit/die with cleanup.
283 286
284 287 **Cleanup Operations:**
285   - Saves diagnostic logs to session flash data
286   - Ends script execution
287  
288   **Example:**
289   ```php
  288   - Saves diagnostic logs to session flash data
  289   - Ends script execution
  290
  291 **Example:**
  292 %%php
290 293 $http->terminate();
291   ```
292  
293   ---
294  
295   #### `status($code): void`
  294 %%
  295
  296 ----
  297
  298 ===== ##status($code): void## =====
296 299 Sets HTTP response status code.
297 300
298 301 **Supported Status Codes:**
299   ```php
  302 %%php
300 303 200 => 'OK'
301 304 206 => 'Partial Content'
302 305 301 => 'Moved Permanently'
313 316 500 => 'Internal Server Error'
314 317 501 => 'Not Implemented'
315 318 503 => 'Service Unavailable'
316   ```
317  
318   **Example:**
319   ```php
  319 %%
  320
  321 **Example:**
  322 %%php
320 323 $http->status(404); // Send 404 Not Found
321   ```
322  
323   ---
324  
325   ### Caching Control
326  
327   #### `no_cache($client_only = true): void`
  324 %%
  325
  326 ----
  327
  328 ==== Caching Control ====
  329
  330 ===== ##no_cache($client_only = true): void## =====
328 331 Disables caching of the current page.
329 332
330 333 **Parameters:**
331   - `$client_only` (bool, default: TRUE)
332     - `TRUE`: Disable browser cache only
333     - `FALSE`: Disable both browser and server cache
  334   - ##$client_only## (bool, default: TRUE)
  335   - ##TRUE##: Disable browser cache only
  336   - ##FALSE##: Disable both browser and server cache
334 337
335 338 **Headers Set:**
336   - `Last-Modified: <current-time>` (always fresh)
337   - `Cache-Control: no-store`
338  
339   **Example:**
340   ```php
  339   - ##Last-Modified: <current-time>## (always fresh)
  340   - ##Cache-Control: no-store##
  341
  342 **Example:**
  343 %%php
341 344 $http->no_cache(); // Client-side only
342 345 $http->no_cache(false); // Both client & server
343   ```
344  
345   ---
346  
347   #### `cache_promisc(): void`
  346 %%
  347
  348 ----
  349
  350 ===== ##cache_promisc(): void## =====
348 351 Marks page as publicly cacheable.
349 352
350 353 **Headers Set:**
351   - `Cache-Control: public`
352  
353   **Example:**
354   ```php
  354   - ##Cache-Control: public##
  355
  356 **Example:**
  357 %%php
355 358 $http->cache_promisc();
356   ```
357  
358   ---
359  
360   ### Language Negotiation
361  
362   #### `user_agent_language(): string`
  359 %%
  360
  361 ----
  362
  363 ==== Language Negotiation ====
  364
  365 ===== ##user_agent_language(): string## =====
363 366 Determines best language based on browser preferences.
364 367
365 368 **Features:**
366   - Follows RFC 9110 section 12.5.4 (HTTP Accept-Language)
367   - Parses `Accept-Language` header with quality factors
368   - Attempts exact match first, then language fallback
369   - Falls back to default system language
  369   - Follows RFC 9110 section 12.5.4 (HTTP Accept-Language)
  370   - Parses ##Accept-Language## header with quality factors
  371   - Attempts exact match first, then language fallback
  372   - Falls back to default system language
370 373
371 374 **Example Header:**
372   ```
  375 %%
373 376 Accept-Language: en-US,en;q=0.9,de;q=0.8
374   ```
  377 %%
375 378
376 379 **Returns:**
377   - Language code (e.g., 'en', 'en-US', 'de')
378  
379   ---
380  
381   #### `available_languages($subset = true): array`
  380   - Language code (e.g., 'en', 'en-US', 'de')
  381
  382 ----
  383
  384 ===== ##available_languages($subset = true): array## =====
382 385 Returns list of available language translations.
383 386
384 387 **Parameters:**
385   - `$subset` (bool, default: TRUE)
386     - `TRUE`: Only allowed languages
387     - `FALSE`: All available languages
388  
389   **Features:**
390   - Scans `LANG_DIR` for language files
391   - Filters by `allowed_languages` config if set
392   - Caches result in session
393   - System language always included
  388   - ##$subset## (bool, default: TRUE)
  389   - ##TRUE##: Only allowed languages
  390   - ##FALSE##: All available languages
  391
  392 **Features:**
  393   - Scans ##LANG_DIR## for language files
  394   - Filters by ##allowed_languages## config if set
  395   - Caches result in session
  396   - System language always included
394 397
395 398 **Returns:**
396   - Associative array: `['en' => 'en', 'de' => 'de', ...]`
397  
398   **Example:**
399   ```php
  399   - Associative array: ##['en' => 'en', 'de' => 'de', ...]##
  400
  401 **Example:**
  402 %%php
400 403 $all_langs = $http->available_languages(false);
401 404 $allowed = $http->available_languages(true);
402   ```
403  
404   ---
405  
406   ### File Serving
407  
408   #### `sendfile($path, $filename = null, $age = null): void`
  405 %%
  406
  407 ----
  408
  409 ==== File Serving ====
  410
  411 ===== ##sendfile($path, $filename = null, $age = null): void## =====
409 412 Serves files with proper HTTP headers and caching.
410 413
411 414 **Parameters:**
412   - `$path` (string) - File path (or HTTP_XXX constant for error pages)
413   - `$filename` (string, optional) - Custom download filename
414   - `$age` (int, optional) - Cache age in days
415  
416   **Features:**
417   - HTTP range request support (partial file downloads)
418   - ETag and Last-Modified conditional requests
419   - Proper MIME type detection
420   - Content-Security-Policy for special file types
421   - Streaming for large files
422   - GZip compression for text files
  415   - ##$path## (string) - File path (or HTTP_XXX constant for error pages)
  416   - ##$filename## (string, optional) - Custom download filename
  417   - ##$age## (int, optional) - Cache age in days
  418
  419 **Features:**
  420   - HTTP range request support (partial file downloads)
  421   - ETag and Last-Modified conditional requests
  422   - Proper MIME type detection
  423   - Content-Security-Policy for special file types
  424   - Streaming for large files
  425   - GZip compression for text files
423 426
424 427 **Special Paths:**
425   ```php
  428 %%php
426 429 $http->sendfile(404); // Serves file defined by HTTP_404 constant
427 430 $http->sendfile(403); // Serves file defined by HTTP_403 constant
428   ```
429  
430   **Example:**
431   ```php
  431 %%
  432
  433 **Example:**
  434 %%php
432 435 $http->sendfile('uploads/document.pdf', 'my-document.pdf', 30);
433   ```
434  
435   ---
436  
437   #### `mime_type($path): string`
  436 %%
  437
  438 ----
  439
  440 ===== ##mime_type($path): string## =====
438 441 Returns MIME type for a file.
439 442
440 443 **Returns:**
441   - MIME type string (e.g., 'application/pdf')
442   - Default: `'application/octet-stream'`
443  
444   **Example:**
445   ```php
  444   - MIME type string (e.g., 'application/pdf')
  445   - Default: ##'application/octet-stream'##
  446
  447 **Example:**
  448 %%php
446 449 $mime = $http->mime_type('file.pdf'); // 'application/pdf'
447   ```
448  
449   ---
450  
451   #### `mime_types(): array` (Private)
  450 %%
  451
  452 ----
  453
  454 ===== ##mime_types(): array## (Private) =====
452 455 Loads and caches MIME types from configuration.
453 456
454 457 **Features:**
455   - Reads from `config/mime.types`
456   - Caches to `cache/config/mime.types`
457   - Reloads if config is updated
458  
459   ---
460  
461   ### Compression
462  
463   #### `gzip(): void`
  458   - Reads from ##config/mime.types##
  459   - Caches to ##cache/config/mime.types##
  460   - Reloads if config is updated
  461
  462 ----
  463
  464 ==== Compression ====
  465
  466 ===== ##gzip(): void## =====
464 467 Compresses HTTP response with gzip/x-gzip.
465 468
466 469 **Features:**
467   - Manually implements gzip (not relying on zlib.output_compression)
468   - Produces correct `Content-Length` header
469   - Only compresses if:
  470   - Manually implements gzip (not relying on zlib.output_compression)
  471   - Produces correct ##Content-Length## header
  472   - Only compresses if:
470 473   - 860 bytes < content < 1 MB
471 474   - Client accepts compression
472 475   - Headers not already sent
473 476
474 477 **Example:**
475   ```php
  478 %%php
476 479 $http->gzip();
477   ```
478  
479   ---
480  
481   ### Utility Methods
482  
483   #### `parse_str($str): array` (Private)
  480 %%
  481
  482 ----
  483
  484 ==== Utility Methods ====
  485
  486 ===== ##parse_str($str): array## (Private) =====
484 487 Parses URL-encoded strings with special character handling.
485 488
486 489 **Purpose:**
487   - Safely handles special characters in query/form data
488   - Converts encoding properly
489  
490   **Example:**
491   ```php
  490   - Safely handles special characters in query/form data
  491   - Converts encoding properly
  492
  493 **Example:**
  494 %%php
492 495 $data = $http->parse_str('name=John&age=30');
493   ```
494  
495   ---
496  
497   #### `request_uri(): string` (Private)
  496 %%
  497
  498 ----
  499
  500 ===== ##request_uri(): string## (Private) =====
498 501 Extracts and normalizes REQUEST_URI from server.
499 502
500 503 **Normalization:**
501   - Removes base URL prefix
502   - Removes spaces
503   - Collapses multiple slashes
504   - Removes `..` path traversal attempts
505   - Removes leading/trailing slashes
506  
507   ---
508  
509   #### `cut_prefix($prefix, $path): string` (Private)
  504   - Removes base URL prefix
  505   - Removes spaces
  506   - Collapses multiple slashes
  507   - Removes ##..## path traversal attempts
  508   - Removes leading/trailing slashes
  509
  510 ----
  511
  512 ===== ##cut_prefix($prefix, $path): string## (Private) =====
510 513 Removes prefix from path (case-insensitive).
511 514
512   ---
513  
514   #### `get_header_conf($file_name): string` (Private)
  515 ----
  516
  517 ===== ##get_header_conf($file_name): string## (Private) =====
515 518 Loads security header configuration from files.
516 519
517 520 **Files Supported:**
518   - `csp.conf` / `csp_custom.conf`
519   - `permissions_policy.conf` / `permissions_policy_custom.conf`
520  
521   ---
522  
523   ## Configuration Dependencies
  521   - ##csp.conf## / ##csp_custom.conf##
  522   - ##permissions_policy.conf## / ##permissions_policy_custom.conf##
  523
  524 ----
  525
  526 ===Configuration Dependencies===
524 527
525 528 The class relies on these database configuration settings:
526 529
527   | Setting | Type | Purpose |
528   |---------|------|---------|
529   | `base_url` | string | Wiki's base URL |
530   | `tls` | bool | Enable HTTPS enforcement |
531   | `cache` | bool | Enable page caching |
532   | `cache_ttl` | int | Cache lifetime in seconds |
533   | `session_store` | int | 1=File, 0=Database |
534   | `system_seed_hash` | string | Session encryption seed |
535   | `cookie_prefix` | string | Session cookie prefix |
536   | `cookie_path` | string | Cookie path |
537   | `allow_persistent_cookie` | bool | Allow persistent login |
538   | `session_length` | int | Session lifetime in seconds |
539   | `reverse_proxy_addresses` | string | Comma/space-separated proxy IPs |
540   | `reverse_proxy_header` | string | Custom X-Forwarded header |
541   | `language` | string | Default language code |
542   | `multilanguage` | bool | Enable language negotiation |
543   | `allowed_languages` | string | Comma/space-separated allowed langs |
544   | `enable_security_headers` | bool | Send security headers |
545   | `csp` | int | CSP setting (0/1/2) |
546   | `permissions_policy` | int | Permissions-Policy setting (0/1/2) |
547   | `referrer_policy` | int | Referrer-Policy setting (0-8) |
548  
549   ---
550  
551   ## Constants Used
552  
553   | Constant | Type | Purpose |
554   |----------|------|---------|
555   | `IN_WACKO` | bool | Security check (exit if not defined) |
556   | `CHMOD_SAFE` | int | File permissions for cache files |
557   | `CHMOD_FILE` | int | File permissions for config cache |
558   | `CACHE_PAGE_DIR` | string | Page cache directory |
559   | `CACHE_SESSION_DIR` | string | Session cache directory |
560   | `CACHE_CONFIG_DIR` | string | Config cache directory |
561   | `CONFIG_DIR` | string | Configuration directory |
562   | `LANG_DIR` | string | Language files directory |
563   | `DAYSECS` | int | Seconds in a day (86400) |
564   | `HTTP_404` | string | Path to 404 error page |
565   | `HTTP_403` | string | Path to 403 error page |
566  
567   ---
568  
569   ## Workflow Examples
570  
571   ### Example 1: Handling a GET Request
572  
573   ```php
  530 #|
  531 *| Setting | Type | Purpose |*
  532 || ##base_url## | string | Wiki's base URL ||
  533 || ##tls## | bool | Enable HTTPS enforcement ||
  534 || ##cache## | bool | Enable page caching ||
  535 || ##cache_ttl## | int | Cache lifetime in seconds ||
  536 || ##session_store## | int | 1=File, 0=Database ||
  537 || ##system_seed_hash## | string | Session encryption seed ||
  538 || ##cookie_prefix## | string | Session cookie prefix ||
  539 || ##cookie_path## | string | Cookie path ||
  540 || ##allow_persistent_cookie## | bool | Allow persistent login ||
  541 || ##session_length## | int | Session lifetime in seconds ||
  542 || ##reverse_proxy_addresses## | string | Comma/space-separated proxy IPs ||
  543 || ##reverse_proxy_header## | string | Custom X-Forwarded header ||
  544 || ##language## | string | Default language code ||
  545 || ##multilanguage## | bool | Enable language negotiation ||
  546 || ##allowed_languages## | string | Comma/space-separated allowed langs ||
  547 || ##enable_security_headers## | bool | Send security headers ||
  548 || ##csp## | int | CSP setting (0/1/2) ||
  549 || ##permissions_policy## | int | Permissions-Policy setting (0/1/2) ||
  550 || ##referrer_policy## | int | Referrer-Policy setting (0-8) ||
  551 |#
  552
  553 ----
  554
  555 ===Constants Used===
  556
  557 #|
  558 *| Constant | Type | Purpose |*
  559 || ##IN_WACKO## | bool | Security check (exit if not defined) ||
  560 || ##CHMOD_SAFE## | int | File permissions for cache files ||
  561 || ##CHMOD_FILE## | int | File permissions for config cache ||
  562 || ##CACHE_PAGE_DIR## | string | Page cache directory ||
  563 || ##CACHE_SESSION_DIR## | string | Session cache directory ||
  564 || ##CACHE_CONFIG_DIR## | string | Config cache directory ||
  565 || ##CONFIG_DIR## | string | Configuration directory ||
  566 || ##LANG_DIR## | string | Language files directory ||
  567 || ##DAYSECS## | int | Seconds in a day (86400) ||
  568 || ##HTTP_404## | string | Path to 404 error page ||
  569 || ##HTTP_403## | string | Path to 403 error page ||
  570 |#
  571
  572 ----
  573
  574 === Workflow Examples ===
  575
  576 ====Example 1: Handling a GET Request====
  577
  578 %%(hl php)
574 579 // In main wiki entry point
575 580 $http = new Http($db);
576 581 $http->session(0); // Start session
588 593
589 594 // Possibly compress output
590 595 $http->gzip();
591   ```
592  
593   ### Example 2: Handling TLS/HTTPS Upgrade
594  
595   ```php
  596 %%
  597
  598 ==== Example 2: Handling TLS/HTTPS Upgrade ====
  599
  600 %%php
596 601 $http = new Http($db); // Constructor detects TLS requirement
597 602 // If TLS is enabled and user wasn't in TLS before:
598 603 // - Sets TLS session flag
599 604 // - Marks session with TLS cookie
600 605 // - Redirects to HTTPS version
601   ```
602  
603   ### Example 3: Invalidating Cache After Page Edit
604  
605   ```php
  606 %%
  607
  608 ==== Example 3: Invalidating Cache After Page Edit ====
  609
  610 %%php
606 611 // User edits a page
607 612 $http = new Http($db);
608 613 $count = $http->invalidate_page('HomePage');
609 614 // All cached versions (different languages, methods) are invalidated
610   ```
611  
612   ### Example 4: Serving a File
613  
614   ```php
  615 %%
  616
  617 ==== Example 4: Serving a File ====
  618
  619 %%php
615 620 $http = new Http($db);
616 621 $http->session(2); // Static file mode - no session replay prevention
617 622
618 623 // Serve with 30-day cache
619 624 $http->sendfile('uploads/manual.pdf', 'user-manual.pdf', 30);
620   ```
621  
622   ---
623  
624   ## Security Considerations
625  
626   ### 1. **IP Address Spoofing**
627   - Validates IPs against private ranges
628   - Filters proxy-provided IPs appropriately
629   - Configurable reverse proxy trust
630  
631   ### 2. **Session Security**
632   - Binds sessions to IP address
633   - Binds sessions to TLS status
634   - Supports both file and database storage
635   - HttpOnly cookies by default
636  
637   ### 3. **TLS Enforcement**
638   - Automatic HTTPS upgrade when configured
639   - Marks TLS sessions to prevent downgrade attacks
640   - HSTS header support
641  
642   ### 4. **Content Security**
643   - CSP headers to prevent XSS
644   - X-Frame-Options to prevent clickjacking
645   - X-Content-Type-Options to prevent MIME sniffing
646   - Referrer-Policy control
647   - Permissions-Policy for browser features
648  
649   ### 5. **File Serving**
650   - Validates file existence and readability
651   - Prevents directory traversal via `realpath()`
652   - Rejects symbolic links
653   - Special CSP for SVG and PDF files
654  
655   ### 6. **Cache Security**
656   - Cached only for anonymous users
657   - Disabled for sensitive operations (edit, watch)
658   - Only GET requests cached
659  
660   ---
661  
662   ## Performance Optimization
663  
664   ### 1. **Page Caching**
665   - Stores full HTML output
666   - TTL-based expiration
667   - Language and method-aware caching
668   - Conditional request support (304 Not Modified)
669  
670   ### 2. **MIME Type Caching**
671   - Loads MIME types once and caches
672   - Regenerates only when config changes
673  
674   ### 3. **Session Options**
675   - File-based sessions for simple deployments
676   - Database sessions for distributed systems
677  
678   ### 4. **Compression**
679   - Manual gzip implementation
680   - Proper Content-Length generation
681   - Only compresses appropriate sizes
682  
683   ---
684  
685   ## Debugging
  625 %%
  626
  627 ----
  628
  629 === Security Considerations ===
  630
  631 ==== 1. **IP Address Spoofing** ====
  632   - Validates IPs against private ranges
  633   - Filters proxy-provided IPs appropriately
  634   - Configurable reverse proxy trust
  635
  636 ==== 2. **Session Security** ====
  637   - Binds sessions to IP address
  638   - Binds sessions to TLS status
  639   - Supports both file and database storage
  640   - HttpOnly cookies by default
  641
  642 ==== 3. **TLS Enforcement** ====
  643   - Automatic HTTPS upgrade when configured
  644   - Marks TLS sessions to prevent downgrade attacks
  645   - HSTS header support
  646
  647 ==== 4. **Content Security** ====
  648   - CSP headers to prevent XSS
  649   - X-Frame-Options to prevent clickjacking
  650   - X-Content-Type-Options to prevent MIME sniffing
  651   - Referrer-Policy control
  652   - Permissions-Policy for browser features
  653
  654 ==== 5. **File Serving** ====
  655   - Validates file existence and readability
  656   - Prevents directory traversal via ##realpath()##
  657   - Rejects symbolic links
  658   - Special CSP for SVG and PDF files
  659
  660 ==== 6. **Cache Security** ====
  661   - Cached only for anonymous users
  662   - Disabled for sensitive operations (edit, watch)
  663   - Only GET requests cached
  664
  665 ----
  666
  667 === Performance Optimization ===
  668
  669 ==== 1. **Page Caching** ====
  670   - Stores full HTML output
  671   - TTL-based expiration
  672   - Language and method-aware caching
  673   - Conditional request support (304 Not Modified)
  674
  675 ==== 2. **MIME Type Caching** ====
  676   - Loads MIME types once and caches
  677   - Regenerates only when config changes
  678
  679 ==== 3. **Session Options** ====
  680   - File-based sessions for simple deployments
  681   - Database sessions for distributed systems
  682
  683 ==== 4. **Compression** ====
  684   - Manual gzip implementation
  685   - Proper Content-Length generation
  686   - Only compresses appropriate sizes
  687
  688 ----
  689
  690 === Debugging ===
686 691
687 692 The class integrates with WackoWiki's diagnostic system:
688 693
689   ```php
  694 %%php
690 695 // Diagnostic messages are preserved across redirects
691 696 // via session flash data
692 697
693 698 // Check cached pages (debug comments in output):
694 699 // <!-- WackoWiki Caching Engine: page cached at 2024-01-15 12:30:45 GMT -->
695   ```
696  
697   ---
698  
699   ## Related Classes
700  
701   - **Session Classes** (`SessionFileStore`, `SessionDbalStore`) - Session management backends
702   - **Database Class** - Configuration and cache metadata storage
703   - **Ut Utility Class** - String/path utilities
704   - **Diag Class** - Diagnostic logging
705  
706   ---
707  
708   ## Version History
709  
710   - Supports PHP 8.0+ (uses match expressions, union types)
711   - Follows RFC 9110 for HTTP header handling
712   - Modern cookie security practices
713  
714   ---
715  
716   ## Conclusion
717  
718   The `Http` class is the central request/response handler in WackoWiki, managing everything from session initialization to security headers to file serving. Understanding this class is essential for:
719  
720   - Extending WackoWiki with custom request handlers
721   - Implementing custom session logic
722   - Adding new security policies
723   - Optimizing cache strategies
724   - Debugging HTTP-related issues
  700 %%
  701
  702 ----
  703
  704 === Related Classes ===
  705   - **Session Classes** (##SessionFileStore##, ##SessionDbalStore##) - Session management backends
  706   - **Database Class** - Configuration and cache metadata storage
  707   - **Ut Utility Class** - String/path utilities
  708   - **Diag Class** - Diagnostic logging
  709
  710 ----
  711
  712 === Version History ===
  713   - Supports PHP 8.0+ (uses match expressions, union types)
  714   - Follows RFC 9110 for HTTP header handling
  715   - Modern cookie security practices
  716
  717 ----
  718
  719 === Conclusion ===
  720
  721 The ##Http## class is the central request/response handler in WackoWiki, managing everything from session initialization to security headers to file serving. Understanding this class is essential for:
  722   - Extending WackoWiki with custom request handlers
  723   - Implementing custom session logic
  724   - Adding new security policies
  725   - Optimizing cache strategies
  726   - Debugging HTTP-related issues