-
Notifications
You must be signed in to change notification settings - Fork 2
Header
Benyamin Khalife edited this page Dec 19, 2025
·
2 revisions
The Header class provides comprehensive HTTP header management for reading request headers, setting response headers, and handling CORS, security, caching, and authentication headers in the Webrium framework.
- Installation
- Basic Usage
- Reading Request Headers
- Setting Response Headers
- Authentication Headers
- CORS Headers
- Security Headers
- Cache Control
- Content Type Headers
- File Downloads
- Redirects
- API Reference
The Header class is included in the Webrium framework. No additional installation is required.
use Webrium\Header;// Get a request header
$userAgent = Header::get('User-Agent');
// Set a response header
Header::set('X-Custom-Header', 'value');
// Set multiple headers
Header::setMultiple([
'X-API-Version' => '1.0',
'X-Request-ID' => uniqid()
]);$headers = Header::all();
// Returns: ['Content-Type' => 'application/json', 'User-Agent' => '...', ...]// Get header (case-insensitive)
$contentType = Header::get('Content-Type');
$contentType = Header::get('content-type'); // Same result
// With default value
$customHeader = Header::get('X-Custom-Header', 'default-value');if (Header::has('Authorization')) {
// Authorization header exists
}// Get User-Agent
$userAgent = Header::getUserAgent();
// Get Referer
$referer = Header::getReferer();
// Get Content-Type
$contentType = Header::getContentType();
// Check if client expects JSON
if (Header::expectsJson()) {
// Return JSON response
}// Set header
Header::set('X-API-Version', '2.0');
// Replace existing header (default: true)
Header::set('X-Custom-Header', 'new-value', true);
// Add without replacing
Header::set('Set-Cookie', 'token=abc123', false);Header::setMultiple([
'X-API-Version' => '1.0',
'X-Powered-By' => 'Webrium',
'X-Request-ID' => uniqid()
]);Header::remove('X-Powered-By');if (Header::sent($file, $line)) {
// Headers already sent
echo "Headers were sent in {$file} on line {$line}";
}// Get Authorization header
$auth = Header::getAuthorization();
// Returns: "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."// Extract Bearer token
$token = Header::getBearerToken();
// Returns: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." or null
// Usage in API
if (!$token = Header::getBearerToken()) {
http_response_code(401);
die(json_encode(['error' => 'Unauthorized']));
}
// Validate token
if (!validateToken($token)) {
http_response_code(403);
die(json_encode(['error' => 'Invalid token']));
}// Get Basic Auth credentials
$credentials = Header::getBasicAuth();
// Returns: ['username' => 'user', 'password' => 'pass'] or null
// Usage
if ($credentials = Header::getBasicAuth()) {
if (authenticate($credentials['username'], $credentials['password'])) {
// Authenticated
}
}// Get API key from custom header
$apiKey = Header::getApiKey(); // Default: X-API-Key
$apiKey = Header::getApiKey('X-Custom-API-Key');
// Validate API key
if ($apiKey !== 'expected-key') {
http_response_code(403);
die('Invalid API key');
}Note: For high-level CORS management, use
App::corsMiddleware(). TheHeader::cors()method is a low-level tool.
// Set CORS headers (low-level)
Header::cors([
'allowed_origins' => ['https://example.com'],
'allowed_methods' => ['GET', 'POST'],
'allowed_headers' => ['Content-Type', 'Authorization'],
'allow_credentials' => true,
'max_age' => 3600
]);// Handle OPTIONS requests
Header::handlePreflight([
'allowed_origins' => ['https://example.com']
]);| Option | Type | Default | Description |
|---|---|---|---|
allowed_origins |
array | [] |
List of allowed origin URLs |
allowed_methods |
array | ['GET', 'POST', ...] |
HTTP methods allowed |
allowed_headers |
array | ['Content-Type', ...] |
Headers allowed in request |
allow_credentials |
bool | false |
Allow cookies/credentials |
max_age |
int | 86400 |
Preflight cache duration (seconds) |
expose_headers |
array | [] |
Headers exposed to client |
Header::security();
// Sets HSTS, X-Content-Type-Options, X-XSS-Protection, X-Frame-Options, etc.Header::security([
'hsts' => true,
'hsts_max_age' => 31536000, // 1 year
'hsts_subdomains' => true,
'hsts_preload' => false,
'nosniff' => true,
'xss_protection' => true,
'frame_options' => 'SAMEORIGIN', // DENY, SAMEORIGIN, or false
'csp' => "default-src 'self'", // Content Security Policy
'referrer_policy' => 'strict-origin-when-cross-origin'
]);// HTTP Strict Transport Security
Header::set('Strict-Transport-Security', 'max-age=31536000; includeSubDomains; preload');
// Prevent MIME sniffing
Header::set('X-Content-Type-Options', 'nosniff');
// XSS Protection
Header::set('X-XSS-Protection', '1; mode=block');
// Clickjacking protection
Header::set('X-Frame-Options', 'DENY');
// Content Security Policy
Header::set('Content-Security-Policy', "default-src 'self'; script-src 'self' 'unsafe-inline'");
// Referrer Policy
Header::set('Referrer-Policy', 'strict-origin-when-cross-origin');// Cache for 1 hour (3600 seconds)
Header::cache(3600);
// With options
Header::cache(3600, [
'public' => true, // Public cache
'must_revalidate' => true,
'no_transform' => false,
's_maxage' => 7200 // Shared cache max age
]);
// Custom cache directive
Header::cache('public, max-age=3600, immutable');Header::noCache();
// Sets: Cache-Control: no-store, no-cache, must-revalidate, max-age=0
// Pragma: no-cache
// Expires: Thu, 01 Jan 1970 00:00:00 GMT// Generic content type
Header::contentType('application/json');
Header::contentType('text/html', 'utf-8');
// Predefined shortcuts
Header::json(); // application/json
Header::html(); // text/html
Header::xml(); // application/xml
Header::text(); // text/plain// JSON API response
Header::json();
echo json_encode(['status' => 'success']);
// HTML page
Header::html();
echo '<h1>Welcome</h1>';
// XML feed
Header::xml();
echo '<?xml version="1.0"?><feed>...</feed>';
// Plain text
Header::text();
echo 'Plain text response';// Basic download
Header::download('report.pdf');
// With content type
Header::download('data.csv', 'text/csv');
// With size
Header::download('file.zip', 'application/zip', 1048576); // 1 MB$filename = 'report.pdf';
$filepath = '/path/to/report.pdf';
Header::download($filename, 'application/pdf', filesize($filepath));
readfile($filepath);
exit;// Temporary redirect (302)
Header::redirect('https://example.com/new-page');
// Permanent redirect (301)
Header::redirect('https://example.com/new-page', 301);// Set custom status code
Header::status(201); // Created
Header::status(404); // Not Found
Header::status(500); // Internal Server Error// Set API version and rate limit headers
Header::setMultiple([
'X-API-Version' => '2.0',
'X-Rate-Limit' => '1000',
'X-Rate-Limit-Remaining' => '950',
'X-Rate-Limit-Reset' => time() + 3600
]);// Comprehensive security setup
Header::security([
'hsts' => true,
'hsts_max_age' => 63072000, // 2 years
'hsts_subdomains' => true,
'hsts_preload' => true,
'nosniff' => true,
'xss_protection' => true,
'frame_options' => 'DENY',
'csp' => implode('; ', [
"default-src 'self'",
"script-src 'self' 'unsafe-inline' https://cdn.example.com",
"style-src 'self' 'unsafe-inline'",
"img-src 'self' data: https:",
"font-src 'self' data:",
"connect-src 'self' https://api.example.com",
"frame-ancestors 'none'",
"base-uri 'self'",
"form-action 'self'"
]),
'referrer_policy' => 'strict-origin-when-cross-origin'
]);// Set custom authentication header
Header::set('WWW-Authenticate', 'Custom realm="API"');
Header::status(401);// Clear cached headers (useful in testing)
Header::clearCache();| Method | Description | Returns |
|---|---|---|
all() |
Get all request headers | array |
get($name, $default) |
Get specific header | mixed |
has($name) |
Check if header exists | bool |
getUserAgent() |
Get User-Agent | string|null |
getReferer() |
Get Referer | string|null |
getContentType() |
Get Content-Type | string|null |
expectsJson() |
Check if expects JSON | bool |
| Method | Description | Returns |
|---|---|---|
getAuthorization() |
Get Authorization header | string|null |
getBearerToken() |
Extract Bearer token | string|null |
getBasicAuth() |
Extract Basic auth credentials | array|null |
getApiKey($headerName) |
Get API key | string|null |
| Method | Description | Returns |
|---|---|---|
set($name, $value, $replace) |
Set header | void |
setMultiple($headers, $replace) |
Set multiple headers | void |
remove($name) |
Remove header | void |
| Method | Description | Returns |
|---|---|---|
cors($config) |
Set CORS headers | bool |
handlePreflight($config, $terminate) |
Handle OPTIONS request | void |
| Method | Description | Returns |
|---|---|---|
security($options) |
Set security headers | void |
| Method | Description | Returns |
|---|---|---|
cache($value, $options) |
Enable caching | void |
noCache() |
Disable caching | void |
| Method | Description | Returns |
|---|---|---|
contentType($type, $charset) |
Set content type | void |
json() |
Set JSON content type | void |
html() |
Set HTML content type | void |
xml() |
Set XML content type | void |
text() |
Set text content type | void |
| Method | Description | Returns |
|---|---|---|
download($filename, $type, $size) |
Set download headers | void |
redirect($url, $code) |
Redirect to URL | void |
status($code) |
Set status code | void |
| Method | Description | Returns |
|---|---|---|
sent(&$file, &$line) |
Check if headers sent | bool |
clearCache() |
Clear header cache | void |
use Webrium\Header;
// Check authentication
$token = Header::getBearerToken();
if (!$token || !isValidToken($token)) {
Header::status(401);
Header::json();
echo json_encode(['error' => 'Unauthorized']);
exit;
}
// Set response headers
Header::json();
Header::setMultiple([
'X-API-Version' => '1.0',
'X-Request-ID' => uniqid()
]);
echo json_encode(['data' => 'success']);$file = '/path/to/report.pdf';
if (!file_exists($file)) {
Header::status(404);
die('File not found');
}
Header::download('Monthly-Report.pdf', 'application/pdf', filesize($file));
readfile($file);
exit;// Apply security headers
Header::security([
'hsts' => true,
'frame_options' => 'DENY',
'csp' => "default-src 'self'; script-src 'self' 'unsafe-inline'"
]);
// Disable caching for sensitive pages
Header::noCache();// Check rate limit
$remaining = getRateLimitRemaining($userId);
Header::setMultiple([
'X-Rate-Limit' => '100',
'X-Rate-Limit-Remaining' => (string)$remaining,
'X-Rate-Limit-Reset' => (string)(time() + 3600)
]);
if ($remaining <= 0) {
Header::status(429); // Too Many Requests
Header::json();
echo json_encode(['error' => 'Rate limit exceeded']);
exit;
}- Always validate authentication headers before processing sensitive requests
- Use security headers in production for all web applications
- Set appropriate cache headers based on content type
-
Use CORS with App class (
App::corsMiddleware()) for better integration -
Check
Header::sent()before setting headers to avoid errors - Set Content-Type before outputting response body
-
Use
noCache()for dynamic/sensitive content - Clear header cache in tests to avoid pollution
- Never trust client headers completely (can be spoofed)
- Always validate authentication tokens server-side
- Use HTTPS in production (enforce with HSTS)
- Set restrictive CSP policies
- Validate and sanitize all header values before using them
- Use
X-Frame-Optionsto prevent clickjacking - Enable
X-Content-Type-Options: nosniffto prevent MIME sniffing