classafBedSheet::HttpResponseHeaders

sys::Obj
  afBedSheet::HttpResponseHeaders

A wrapper for HTTP response headers with accessors for commonly used headings. Accessors return null if the header doesn't exist, or isn't encoded properly.

@see https://en.wikipedia.org/wiki/List_of_HTTP_header_fields

addCsp

Source

Void addCsp(Str directive, Str value)

Convenience method for adding CSP directive values.

headers.addCsp("script-src", "'self'")

Note this method does nothing if the Content-Security-Policy header is not set, or if the given directive (or default-src fallback) is blank. This enables libraries to work effortless with Sleep Safe.

addCspReportOnly

Source

Void addCspReportOnly(Str directive, Str value)

Convenience method for adding CSP directive values.

headers.addCspReportOnly("script-src", "'self'")

Note this method does nothing if the Content-Security-Policy header is not set, or if the given directive (or default-src fallback) is blank. This enables libraries to work effortless with Sleep Safe.

cacheControl

Source

Str? cacheControl

Tells all caching mechanisms from server to client whether they may cache this object. It is measured in seconds.

Cache-Control: max-age=3600
clear

Source

Void clear()

Clears all header values. Called by BedSheet before processing an error handler, to reset the response.

contentDisposition

Source

Str? contentDisposition

Usually used to direct the client to display a save as dialog.

Content-Disposition: Attachment; filename=example.html

@see http://tools.ietf.org/html/rfc6266

contentEncoding

Source

Str? contentEncoding

The type of encoding used on the data.

Content-Encoding: gzip
contentLength

Source

Int? contentLength

The length of the response body in octets (8-bit bytes).

Content-Length: 348
contentSecurityPolicy

Source

[Str:Str]? contentSecurityPolicy

Mitigates XSS attacks by telling browsers to restrict where content can be loaded from.

Content-Security-Policy: default-src 'self'; font-src 'self' https://fonts.googleapis.com/; object-src 'none'
contentSecurityPolicyReportOnly

Source

[Str:Str]? contentSecurityPolicyReportOnly

Similar to contentSecurityPolicy only violations aren't blocked, just reported. Useful for development / testing.

Content-Security-Policy-Report-Only: default-src 'self'; font-src 'self' https://fonts.googleapis.com/; object-src 'none'
contentType

Source

MimeType? contentType

The MIME type of this content.

Content-Type: text/html; charset=utf-8
eTag

Source

Str? eTag

An identifier for a specific version of a resource, often a message digest.

ETag: "737060cd8c284d8af7ad3082f209582d"
each

Source

Void each(|Str,Str c)

Call the specified function for every key/value in the header map.

expires

Source

DateTime? expires

Gives the date/time after which the response is considered stale.

Expires: Thu, 01 Dec 1994 16:00:00 GMT
fromMap

Source

new fromMap(Str:Str headers)

Creates a new instance with the given map.

get

Source

@Operator
Str? get(Str name)

Returns the named response header.

keys

Source

Str[] keys()

Returns a list of all the response header keys.

lastModified

Source

DateTime? lastModified

The last modified date for the requested object, in RFC 2822 format.

Last-Modified: Tue, 15 Nov 1994 12:45:26 +0000
location

Source

Uri? location

Used in redirection, or when a new resource has been created.

Location: http://www.w3.org/pub/WWW/People.html
pragma

Source

Str? pragma

Implementation-specific headers.

Pragma: no-cache
referrerPolicy

Source

Str? referrerPolicy

Tells browsers how and when to transmit the HTTP Referer (sic) header.

Referrer-Policy: same-origin
remove

Source

Str? remove(Str name)

Removes a response header.

set

Source

@Operator
Void set(Str name, Str? value)

Sets a response head to the given value.

If the given value is null then it is removed.

strictTransportSecurity

Source

Str? strictTransportSecurity

Tells browsers to always use HTTPS.

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
val

Source

Str:Str val()

Returns a read only map of the response headers.

Use set() / remove() to modify header values. This allows us to check if the response has already been committed.

vary

Source

Str? vary

Tells downstream proxies how to match future request headers to decide whether the cached response can be used rather than requesting a fresh one from the origin server.

Vary: Accept-Encoding

@see Accept-Encoding, It’s Vary important

wwwAuthenticate

Source

Str? wwwAuthenticate

WWW-Authenticate header to indicate supported authentication mechanisms.

WWW-Authenticate: SCRAM hash=SHA-256
xContentTypeOptions

Source

Str? xContentTypeOptions

Tells browsers to trust the Content-Type header.

X-Content-Type-Options: nosniff
xFrameOptions

Source

Str? xFrameOptions

Clickjacking protection, set to:

  • deny - no rendering within a frame,
  • sameorigin - no rendering if origin mismatch
X-Frame-Options: deny
xXssProtection

Source

Str? xXssProtection

Cross-site scripting (XSS) filter.

X-XSS-Protection: 1; mode=block