classafBedSheet::HttpResponseHeaders
sys::Obj afBedSheet::HttpResponseHeaders
A wrapper for HTTP response headers with accessors for commonly used headings. Accessors return null
if the header doesn't exist, or isn't encoded properly.
@see https://en.wikipedia.org/wiki/List_of_HTTP_header_fields
- addCsp
Void addCsp(Str directive, Str value)
Convenience method for adding CSP directive values.
headers.addCsp("script-src", "'self'")
Note this method does nothing if the
Content-Security-Policy
header is not set, or if the given directive (ordefault-src
fallback) is blank. This enables libraries to work effortless with Sleep Safe.- addCspReportOnly
Void addCspReportOnly(Str directive, Str value)
Convenience method for adding CSP directive values.
headers.addCspReportOnly("script-src", "'self'")
Note this method does nothing if the
Content-Security-Policy
header is not set, or if the given directive (ordefault-src
fallback) is blank. This enables libraries to work effortless with Sleep Safe.- cacheControl
Str? cacheControl
Tells all caching mechanisms from server to client whether they may cache this object. It is measured in seconds.
Cache-Control: max-age=3600
- clear
Void clear()
Clears all header values. Called by BedSheet before processing an error handler, to reset the response.
- contentDisposition
Str? contentDisposition
Usually used to direct the client to display a
save as
dialog.Content-Disposition: Attachment; filename=example.html
- contentEncoding
Str? contentEncoding
The type of encoding used on the data.
Content-Encoding: gzip
- contentLength
Int? contentLength
The length of the response body in octets (8-bit bytes).
Content-Length: 348
- contentSecurityPolicy
[Str:Str]? contentSecurityPolicy
Mitigates XSS attacks by telling browsers to restrict where content can be loaded from.
Content-Security-Policy: default-src 'self'; font-src 'self' https://fonts.googleapis.com/; object-src 'none'
- contentSecurityPolicyReportOnly
[Str:Str]? contentSecurityPolicyReportOnly
Similar to contentSecurityPolicy only violations aren't blocked, just reported. Useful for development / testing.
Content-Security-Policy-Report-Only: default-src 'self'; font-src 'self' https://fonts.googleapis.com/; object-src 'none'
- contentType
MimeType? contentType
The MIME type of this content.
Content-Type: text/html; charset=utf-8
- eTag
Str? eTag
An identifier for a specific version of a resource, often a message digest.
ETag: "737060cd8c284d8af7ad3082f209582d"
- each
Call the specified function for every key/value in the header map.
- expires
DateTime? expires
Gives the date/time after which the response is considered stale.
Expires: Thu, 01 Dec 1994 16:00:00 GMT
- fromMap
Creates a new instance with the given map.
- get
Returns the named response header.
- keys
Str[] keys()
Returns a list of all the response header keys.
- lastModified
DateTime? lastModified
The last modified date for the requested object, in RFC 2822 format.
Last-Modified: Tue, 15 Nov 1994 12:45:26 +0000
- location
Uri? location
Used in redirection, or when a new resource has been created.
Location: http://www.w3.org/pub/WWW/People.html
- pragma
Str? pragma
Implementation-specific headers.
Pragma: no-cache
- referrerPolicy
Str? referrerPolicy
Tells browsers how and when to transmit the HTTP
Referer
(sic) header.Referrer-Policy: same-origin
- remove
Removes a response header.
- set
@
Operator
Void set(Str name, Str? value)Sets a response head to the given value.
If the given value is
null
then it is removed.- strictTransportSecurity
Str? strictTransportSecurity
Tells browsers to always use HTTPS.
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
- val
Returns a read only map of the response headers.
Use
set()
/remove()
to modify header values. This allows us to check if the response has already been committed.- vary
Str? vary
Tells downstream proxies how to match future request headers to decide whether the cached response can be used rather than requesting a fresh one from the origin server.
Vary: Accept-Encoding
- wwwAuthenticate
Str? wwwAuthenticate
WWW-Authenticate header to indicate supported authentication mechanisms.
WWW-Authenticate: SCRAM hash=SHA-256
- xContentTypeOptions
Str? xContentTypeOptions
Tells browsers to trust the
Content-Type
header.X-Content-Type-Options: nosniff
- xFrameOptions
Str? xFrameOptions
Clickjacking protection, set to:
deny
- no rendering within a frame,sameorigin
- no rendering if origin mismatch
X-Frame-Options: deny
- xXssProtection
Str? xXssProtection
Cross-site scripting (XSS) filter.
X-XSS-Protection: 1; mode=block