dev (source) - SQLite Testing

This is an old revision of Users/EoNy/dev from 05/05/2026 19:21 edited by EoNy.
View source for dev

== HTTP Class Technical Documentation ==

=== Overview ===

The ##Http## class (##src/class/http.php##) is a core component of the WackoWiki system responsible for handling HTTP request/response processing, session management, caching, and security features. This class acts as a bridge between the web server and the wiki engine.

**File Location:** ##src/class/http.php##  
**Language:** PHP  
**Dependencies:** Database class, Session classes, Utility classes (##Ut##), Diagnostics class (##Diag##)

----







=== Security Considerations ===

==== 1. **IP Address Spoofing** ====
  - Validates IPs against private ranges
  - Filters proxy-provided IPs appropriately
  - Configurable reverse proxy trust

==== 2. **Session Security** ====
  - Binds sessions to IP address
  - Binds sessions to TLS status
  - Supports both file and database storage
  - HttpOnly cookies by default

==== 3. **TLS Enforcement** ====
  - Automatic HTTPS upgrade when configured
  - Marks TLS sessions to prevent downgrade attacks
  - HSTS header support

==== 4. **Content Security** ====
  - CSP headers to prevent XSS
  - X-Frame-Options to prevent clickjacking
  - X-Content-Type-Options to prevent MIME sniffing
  - Referrer-Policy control
  - Permissions-Policy for browser features

==== 5. **File Serving** ====
  - Validates file existence and readability
  - Prevents directory traversal via ##realpath()##
  - Rejects symbolic links
  - Special CSP for SVG and PDF files

==== 6. **Cache Security** ====
  - Cached only for anonymous users
  - Disabled for sensitive operations (edit, watch)
  - Only GET requests cached

----

=== Performance Optimization ===

==== 1. **Page Caching** ====
  - Stores full HTML output
  - TTL-based expiration
  - Language and method-aware caching
  - Conditional request support (304 Not Modified)

==== 2. **MIME Type Caching** ====
  - Loads MIME types once and caches
  - Regenerates only when config changes

==== 3. **Session Options** ====
  - File-based sessions for simple deployments
  - Database sessions for distributed systems

==== 4. **Compression** ====
  - Manual gzip implementation
  - Proper Content-Length generation
  - Only compresses appropriate sizes

----

=== Debugging ===

The class integrates with WackoWiki's diagnostic system:

%%php
// Diagnostic messages are preserved across redirects
// via session flash data

// Check cached pages (debug comments in output):
// <!-- WackoWiki Caching Engine: page cached at 2024-01-15 12:30:45 GMT -->
%%

----

=== Related Classes ===
  - **Session Classes** (##SessionFileStore##, ##SessionDbalStore##) - Session management backends
  - **Database Class** - Configuration and cache metadata storage
  - **Ut Utility Class** - String/path utilities
  - **Diag Class** - Diagnostic logging

----

=== Version History ===
  - Supports PHP 8.0+ (uses match expressions, union types)
  - Follows RFC 9110 for HTTP header handling
  - Modern cookie security practices

----

=== Conclusion ===

The ##Http## class is the central request/response handler in WackoWiki, managing everything from session initialization to security headers to file serving. Understanding this class is essential for:
  - Extending WackoWiki with custom request handlers
  - Implementing custom session logic
  - Adding new security policies
  - Optimizing cache strategies
  - Debugging HTTP-related issues