classafBedSheet::HttpResponseHeaders

Convenience method for adding CSP directive values.

headers.addCsp("script-src", "'self'")

Note this method does nothing if the Content-Security-Policy header is not set, or if the given directive (or default-src fallback) is blank. This enables libraries to work effortless with Sleep Safe.

Convenience method for adding CSP directive values.

headers.addCspReportOnly("script-src", "'self'")

Note this method does nothing if the Content-Security-Policy header is not set, or if the given directive (or default-src fallback) is blank. This enables libraries to work effortless with Sleep Safe.

Tells all caching mechanisms from server to client whether they may cache this object. It is measured in seconds.

Cache-Control: max-age=3600

Clears all header values. Called by BedSheet before processing an error handler, to reset the response.

Usually used to direct the client to display a save as dialog.

Content-Disposition: Attachment; filename=example.html

@see http://tools.ietf.org/html/rfc6266

The type of encoding used on the data.

Content-Encoding: gzip

The length of the response body in octets (8-bit bytes).

Content-Length: 348

Mitigates XSS attacks by telling browsers to restrict where content can be loaded from.

Content-Security-Policy: default-src 'self'; font-src 'self' https://fonts.googleapis.com/; object-src 'none'

Similar to contentSecurityPolicy only violations aren't blocked, just reported. Useful for development / testing.

Content-Security-Policy-Report-Only: default-src 'self'; font-src 'self' https://fonts.googleapis.com/; object-src 'none'

The MIME type of this content.

Content-Type: text/html; charset=utf-8

An identifier for a specific version of a resource, often a message digest.

ETag: "737060cd8c284d8af7ad3082f209582d"

Call the specified function for every key/value in the header map.

Gives the date/time after which the response is considered stale.

Expires: Thu, 01 Dec 1994 16:00:00 GMT

Creates a new instance with the given map.

Returns the named response header.

Returns a list of all the response header keys.

The last modified date for the requested object, in RFC 2822 format.

Last-Modified: Tue, 15 Nov 1994 12:45:26 +0000

Used in redirection, or when a new resource has been created.

Location: http://www.w3.org/pub/WWW/People.html

Implementation-specific headers.

Pragma: no-cache

Tells browsers how and when to transmit the HTTP Referer (sic) header.

Referrer-Policy: same-origin

Removes a response header.

Sets a response head to the given value.

If the given value is null then it is removed.

Tells browsers to always use HTTPS.

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

Returns a read only map of the response headers.

Use set() / remove() to modify header values. This allows us to check if the response has already been committed.

Tells downstream proxies how to match future request headers to decide whether the cached response can be used rather than requesting a fresh one from the origin server.

Vary: Accept-Encoding

@see Accept-Encoding, It’s Vary important

WWW-Authenticate header to indicate supported authentication mechanisms.

WWW-Authenticate: SCRAM hash=SHA-256

Tells browsers to trust the Content-Type header.

X-Content-Type-Options: nosniff

Clickjacking protection, set to:

• deny - no rendering within a frame,
• sameorigin - no rendering if origin mismatch

X-Frame-Options: deny

Cross-site scripting (XSS) filter.

X-XSS-Protection: 1; mode=block