This is an old revision of Users/EoNy/dev from 05/05/2026 19:21 edited by EoNy.
dev
HTTP Class Technical Documentation
Overview
The
Http class (src/class/http.php) is a core component of the WackoWiki system responsible for handling HTTP request/response processing, session management, caching, and security features. This class acts as a bridge between the web server and the wiki engine.File Location:
src/class/http.php Language: PHP
Dependencies: Database class, Session classes, Utility classes (
Ut), Diagnostics class (Diag)Security Considerations
1. IP Address Spoofing
- Validates IPs against private ranges
- Filters proxy-provided IPs appropriately
- Configurable reverse proxy trust
2. Session Security
- Binds sessions to IP address
- Binds sessions to TLS status
- Supports both file and database storage
- HttpOnly cookies by default
3. TLS Enforcement
- Automatic HTTPS upgrade when configured
- Marks TLS sessions to prevent downgrade attacks
- HSTS header support
4. Content Security
- CSP headers to prevent XSS
- X-Frame-Options to prevent clickjacking
- X-Content-Type-Options to prevent MIME sniffing
- Referrer-Policy control
- Permissions-Policy for browser features
5. File Serving
- Validates file existence and readability
- Prevents directory traversal via
realpath() - Rejects symbolic links
- Special CSP for SVG and PDF files
6. Cache Security
- Cached only for anonymous users
- Disabled for sensitive operations (edit, watch)
- Only GET requests cached
Performance Optimization
1. Page Caching
- Stores full HTML output
- TTL-based expiration
- Language and method-aware caching
- Conditional request support (304 Not Modified)
2. MIME Type Caching
- Loads MIME types once and caches
- Regenerates only when config changes
3. Session Options
- File-based sessions for simple deployments
- Database sessions for distributed systems
4. Compression
- Manual gzip implementation
- Proper Content-Length generation
- Only compresses appropriate sizes
Debugging
The class integrates with WackoWiki's diagnostic system:
php // Diagnostic messages are preserved across redirects // via session flash data // Check cached pages (debug comments in output): // <!-- WackoWiki Caching Engine: page cached at 2024-01-15 12:30:45 GMT -->
Related Classes
- Session Classes (
SessionFileStore,SessionDbalStore) - Session management backends - Database Class - Configuration and cache metadata storage
- Ut Utility Class - String/path utilities
- Diag Class - Diagnostic logging
Version History
- Supports PHP 8.0+ (uses match expressions, union types)
- Follows RFC 9110 for HTTP header handling
- Modern cookie security practices
Conclusion
The
Http class is the central request/response handler in WackoWiki, managing everything from session initialization to security headers to file serving. Understanding this class is essential for:- Extending WackoWiki with custom request handlers
- Implementing custom session logic
- Adding new security policies
- Optimizing cache strategies
- Debugging HTTP-related issues