Difference between revisions for Users / Eo Ny / dev
| Merge of Version1 & Version2 | |
|---|---|
| 1 | |
| 2 | |
| 3 | |
| 4 | |
| 5 | The |
| 6 | |
| 7 | **File Location:** |
| 8 | **Language:** PHP |
| 9 | **Dependencies:** Database class, Session classes, Utility classes ( |
| 10 | |
| 11 | --- |
| 12 | |
| 13 | |
| 14 | |
| 15 | |
| 16 | |
| 17 | |
| 18 | |
| 19 | |
| 20 | |
| 21 | ==== 1. **IP Address Spoofing** ==== |
| 22 | - Validates IPs against private ranges |
| 23 | - Filters proxy-provided IPs appropriately |
| 24 | - Configurable reverse proxy trust |
| 25 | |
| 26 | ==== 2. **Session Security** ==== |
| 27 | - Binds sessions to IP address |
| 28 | - Binds sessions to TLS status |
| 29 | - Supports both file and database storage |
| 30 | - HttpOnly cookies by default |
| 31 | |
| 32 | ==== 3. **TLS Enforcement** ==== |
| 33 | - Automatic HTTPS upgrade when configured |
| 34 | - Marks TLS sessions to prevent downgrade attacks |
| 35 | - HSTS header support |
| 36 | |
| 37 | ==== 4. **Content Security** ==== |
| 38 | - CSP headers to prevent XSS |
| 39 | - X-Frame-Options to prevent clickjacking |
| 40 | - X-Content-Type-Options to prevent MIME sniffing |
| 41 | - Referrer-Policy control |
| 42 | - Permissions-Policy for browser features |
| 43 | |
| 44 | ==== 5. **File Serving** ==== |
| 45 | - Validates file existence and readability |
| 46 | - Prevents directory traversal via ##realpath()## |
| 47 | - Rejects symbolic links |
| 48 | - Special CSP for SVG and PDF files |
| 49 | |
| 50 | ==== 6. **Cache Security** ==== |
| 51 | - Cached only for anonymous users |
| 52 | - Disabled for sensitive operations (edit, watch) |
| 53 | - Only GET requests cached |
| 54 | |
| 55 | |
| 56 | |
| 57 | |
| 58 | |
| 59 | ==== 1. **Page Caching** ==== |
| 60 | - Stores full HTML output |
| 61 | - TTL-based expiration |
| 62 | - Language and method-aware caching |
| 63 | - Conditional request support (304 Not Modified) |
| 64 | |
| 65 | |
| 66 | |
| 67 | - |
| 68 | |
| 69 | ==== 3. **Session Options** ==== |
| 70 | - File-based sessions for simple deployments |
| 71 | - Database sessions for distributed systems |
| 72 | |
| 73 | ==== 4. **Compression** ==== |
| 74 | - Manual gzip implementation |
| 75 | - Proper Content-Length generation |
| 76 | - Only compresses appropriate sizes |
| 77 | |
| 78 | --- |
| 79 | |
| 80 | === Debugging === |
| 81 | |
| 82 | The class integrates with WackoWiki's diagnostic system: |
| 83 | |
| 84 | |
| 85 | // Diagnostic messages are preserved across redirects |
| 86 | // via session flash data |
| 87 | |
| 88 | // Check cached pages (debug comments in output): |
| 89 | // <!-- WackoWiki Caching Engine: page cached at 2024-01-15 12:30:45 GMT --> |
| 90 | |
| 91 | |
| 92 | --- |
| 93 | |
| 94 | === Related Classes === |
| 95 | - **Session Classes** (##SessionFileStore##, ##SessionDbalStore##) - Session management backends |
| 96 | - **Database Class** - Configuration and cache metadata storage |
| 97 | - **Ut Utility Class** - String/path utilities |
| 98 | - **Diag Class** - Diagnostic logging |
| 99 | |
| 100 | ---- |
| 101 | |
| 102 | === Version History === |
| 103 | - Supports PHP 8.0+ (uses match expressions, union types) |
| 104 | - Follows RFC 9110 for HTTP header handling |
| 105 | - Modern cookie security practices |
| 106 | |
| 107 | |
| 108 | |
| 109 | === Conclusion === |
| 110 | |
| 111 | The ##Http## class is the central request/response handler in WackoWiki, managing everything from session initialization to security headers to file serving. Understanding this class is essential for: |
| 112 | - Extending WackoWiki with custom request handlers |
| 113 | - Implementing custom session logic |
| 114 | - Adding new security policies |
| 115 | - Optimizing cache strategies |
| 116 | - Debugging HTTP-related issues |