This is an old revision of Users/EoNy/dev from 05/05/2026 19:21 edited by EoNy.
(Diff) ← Previous revision | Latest revision (Diff) | Next revision → (Diff)
Revision 6 as of 05/05/2026 19:21
18 05/21/2026 16:12 WikiAdmin 17 05/18/2026 15:15 WikiAdmin 16 05/18/2026 05:05 WikiAdmin 15 05/18/2026 05:04 WikiAdmin 14 05/17/2026 21:10 WikiAdmin 13 05/05/2026 19:29 EoNy 12 05/05/2026 19:28 WikiAdmin 11 05/05/2026 19:28 WikiAdmin 10 05/05/2026 19:27 WikiAdmin 9 05/05/2026 19:25 WikiAdmin 8 05/05/2026 19:24 WikiAdmin 7 05/05/2026 19:23 WikiAdmin 6 05/05/2026 19:21 EoNy 5 05/05/2026 19:11 EoNy 4 05/05/2026 19:10 EoNy 3 05/05/2026 19:10 EoNy 2 05/05/2026 19:08 EoNy 1 05/05/2026 19:06 EoNy

EoNy

dev

HTTP Class Technical Documentation

Overview


The Http class (src/class/http.php) is a core component of the WackoWiki system responsible for handling HTTP request/response processing, session management, caching, and security features. This class acts as a bridge between the web server and the wiki engine.


File Location: src/class/http.php
Language: PHP
Dependencies: Database class, Session classes, Utility classes (Ut), Diagnostics class (Diag)



Security Considerations

1. IP Address Spoofing

  • Validates IPs against private ranges
  • Filters proxy-provided IPs appropriately
  • Configurable reverse proxy trust

2. Session Security

  • Binds sessions to IP address
  • Binds sessions to TLS status
  • Supports both file and database storage
  • HttpOnly cookies by default

3. TLS Enforcement

  • Automatic HTTPS upgrade when configured
  • Marks TLS sessions to prevent downgrade attacks
  • HSTS header support

4. Content Security

  • CSP headers to prevent XSS
  • X-Frame-Options to prevent clickjacking
  • X-Content-Type-Options to prevent MIME sniffing
  • Referrer-Policy control
  • Permissions-Policy for browser features

5. File Serving

  • Validates file existence and readability
  • Prevents directory traversal via realpath()
  • Rejects symbolic links
  • Special CSP for SVG and PDF files

6. Cache Security

  • Cached only for anonymous users
  • Disabled for sensitive operations (edit, watch)
  • Only GET requests cached

Performance Optimization

1. Page Caching

  • Stores full HTML output
  • TTL-based expiration
  • Language and method-aware caching
  • Conditional request support (304 Not Modified)

2. MIME Type Caching

  • Loads MIME types once and caches
  • Regenerates only when config changes

3. Session Options

  • File-based sessions for simple deployments
  • Database sessions for distributed systems

4. Compression

  • Manual gzip implementation
  • Proper Content-Length generation
  • Only compresses appropriate sizes

Debugging


The class integrates with WackoWiki's diagnostic system:


php
// Diagnostic messages are preserved across redirects
// via session flash data

// Check cached pages (debug comments in output):
// <!-- WackoWiki Caching Engine: page cached at 2024-01-15 12:30:45 GMT -->

Related Classes

  • Session Classes (SessionFileStore, SessionDbalStore) - Session management backends
  • Database Class - Configuration and cache metadata storage
  • Ut Utility Class - String/path utilities
  • Diag Class - Diagnostic logging

Version History

  • Supports PHP 8.0+ (uses match expressions, union types)
  • Follows RFC 9110 for HTTP header handling
  • Modern cookie security practices

Conclusion


The Http class is the central request/response handler in WackoWiki, managing everything from session initialization to security headers to file serving. Understanding this class is essential for:

  • Extending WackoWiki with custom request handlers
  • Implementing custom session logic
  • Adding new security policies
  • Optimizing cache strategies
  • Debugging HTTP-related issues