HTTP Responses

The Response class extends the HTTP Message Class with methods only appropriate for a server responding to the client that called it.

Working with the Response
- Setting the Output
- Setting Headers
Force File Download
HTTP Caching
Content Security Policy
Class Reference

Working with the Response 

A Response class is instantiated for you and passed into your controllers. It can be accessed through $this->response. Many times you will not need to touch the class directly, since CodeIgniter takes care of sending the headers and the body for you. This is great if the page successfully created the content it was asked to. When things go wrong, or you need to send very specific status codes back, or even take advantage of the powerful HTTP caching, it’s there for you.

Setting the Output 

When you need to set the output of the script directly, and not rely on CodeIgniter to automatically get it, you do it manually with the setBody method. This is usually used in conjunction with setting the status code of the response:

<?php

$this->response->setStatusCode(404)->setBody($body);

The reason phrase (‘OK’, ‘Created’, ‘Moved Permanently’) will be automatically added, but you can add custom reasons as the second parameter of the setStatusCode() method:

<?php

$this->response->setStatusCode(404, 'Nope. Not here.');

You can set format an array into either JSON or XML and set the content type header to the appropriate mime with the setJSON and setXML methods. Typically, you will send an array of data to be converted:

<?php

$data = [
    'success' => true,
    'id'      => 123,
];

return $this->response->setJSON($data);
// or
return $this->response->setXML($data);

Setting Headers 

Often, you will need to set headers to be set for the response. The Response class makes this very simple to do, with the setHeader() method. The first parameter is the name of the header. The second parameter is the value, which can be either a string or an array of values that will be combined correctly when sent to the client. Using these functions instead of using the native PHP functions allows you to ensure that no headers are sent prematurely, causing errors, and makes testing possible.

<?php

$response->setHeader('Location', 'http://example.com')
    ->setHeader('WWW-Authenticate', 'Negotiate');

If the header exists and can have more than one value, you may use the appendHeader() and prependHeader() methods to add the value to the end or beginning of the values list, respectively. The first parameter is the name of the header, while the second is the value to append or prepend.

<?php

$response->setHeader('Cache-Control', 'no-cache')
    ->appendHeader('Cache-Control', 'must-revalidate');

Headers can be removed from the response with the removeHeader() method, which takes the header name as the only parameter. This is not case-sensitive.

<?php

$response->removeHeader('Location');

Force File Download 

The Response class provides a simple way to send a file to the client, prompting the browser to download the data to your computer. This sets the appropriate headers to make it happen.

The first parameter is the name you want the downloaded file to be named, the second parameter is the file data.

If you set the second parameter to null and $filename is an existing, readable file path, then its content will be read instead.

If you set the third parameter to boolean true, then the actual file MIME type (based on the filename extension) will be sent, so that if your browser has a handler for that type - it can use it.

Example:

<?php

$data = 'Here is some text!';
$name = 'mytext.txt';

return $response->download($name, $data);

If you want to download an existing file from your server you’ll need to pass null explicitly for the second parameter:

<?php

// Contents of photo.jpg will be automatically read
return $response->download('/path/to/photo.jpg', null);

Use the optional setFileName() method to change the filename as it is sent to the client’s browser:

<?php

return $response->download('awkwardEncryptedFileName.fakeExt', null)->setFileName('expenses.csv');

Note

The response object MUST be returned for the download to be sent to the client. This allows the response to be passed through all after filters before being sent to the client.

HTTP Caching 

Built into the HTTP specification are tools help the client (often the web browser) cache the results. Used correctly, this can lead to a huge performance boost to your application because it will tell the client that they don’t need to contact the server at all since nothing has changed. And you can’t get faster than that.

This are handled through the Cache-Control and ETag headers. This guide is not the proper place for a thorough introduction to all of the cache headers power, but you can get a good understanding over at Google Developers.

By default, all response objects sent through CodeIgniter have HTTP caching turned off. The options and exact circumstances are too varied for us to be able to create a good default other than turning it off. It’s simple to set the Cache values to what you need, through the setCache() method:

<?php

$options = [
    'max-age'  => 300,
    's-maxage' => 900,
    'etag'     => 'abcde',
];
$this->response->setCache($options);

The $options array simply takes an array of key/value pairs that are, with a couple of exceptions, assigned to the Cache-Control header. You are free to set all of the options exactly as you need for your specific situation. While most of the options are applied to the Cache-Control header, it intelligently handles the etag and last-modified options to their appropriate header.

Content Security Policy 

One of the best protections you have against XSS attacks is to implement a Content Security Policy on the site. This forces you to whitelist every single source of content that is pulled in from your site’s HTML, including images, stylesheets, javascript files, etc. The browser will refuse content from sources that don’t meet the whitelist. This whitelist is created within the response’s Content-Security-Policy header and has many different ways it can be configured.

This sounds complex, and on some sites, can definitely be challenging. For many simple sites, though, where all content is served by the same domain (http://example.com), it is very simple to integrate.

As this is a complex subject, this user guide will not go over all of the details. For more information, you should visit the following sites:

Turning CSP On 

By default, support for this is off. To enable support in your application, edit the CSPEnabled value in app/Config/App.php:

<?php

namespace Config;

use CodeIgniter\Config\BaseConfig;

class App extends BaseConfig
{
    public $CSPEnabled = true;

    // ...
}

When enabled, the response object will contain an instance of CodeIgniter\HTTP\ContentSecurityPolicy. The values set in app/Config/ContentSecurityPolicy.php are applied to that instance, and if no changes are needed during runtime, then the correctly formatted header is sent and you’re all done.

With CSP enabled, two header lines are added to the HTTP response: a Content-Security-Policy header, with policies identifying content types or origins that are explicitly allowed for different contexts, and a Content-Security-Policy-Report-Only header, which identifies content types or origins that will be allowed but which will also be reported to the destination of your choice.

Our implementation provides for a default treatment, changeable through the reportOnly() method. When an additional entry is added to a CSP directive, as shown below, it will be added to the CSP header appropriate for blocking or preventing. That can be overridden on a per call basis, by providing an optional second parameter to the adding method call.

Runtime Configuration 

If your application needs to make changes at run-time, you can access the instance at $response->CSP. The class holds a number of methods that map pretty clearly to the appropriate header value that you need to set. Examples are shown below, with different combinations of parameters, though all accept either a directive name or an array of them:

<?php

// specify the default directive treatment
$response->CSP->reportOnly(false);

// specify the origin to use if none provided for a directive
$response->CSP->setDefaultSrc('cdn.example.com');

// specify the URL that "report-only" reports get sent to
$response->CSP->setReportURI('http://example.com/csp/reports');

// specify that HTTP requests be upgraded to HTTPS
$response->CSP->upgradeInsecureRequests(true);

// add types or origins to CSP directives
// assuming that the default treatment is to block rather than just report
$response->CSP->addBaseURI('example.com', true); // report only
$response->CSP->addChildSrc('https://youtube.com'); // blocked
$response->CSP->addConnectSrc('https://*.facebook.com', false); // blocked
$response->CSP->addFontSrc('fonts.example.com');
$response->CSP->addFormAction('self');
$response->CSP->addFrameAncestor('none', true); // report this one
$response->CSP->addImageSrc('cdn.example.com');
$response->CSP->addMediaSrc('cdn.example.com');
$response->CSP->addManifestSrc('cdn.example.com');
$response->CSP->addObjectSrc('cdn.example.com', false); // reject from here
$response->CSP->addPluginType('application/pdf', false); // reject this media type
$response->CSP->addScriptSrc('scripts.example.com', true); // allow but report requests from here
$response->CSP->addStyleSrc('css.example.com');
$response->CSP->addSandbox(['allow-forms', 'allow-scripts']);

The first parameter to each of the “add” methods is an appropriate string value, or an array of them.

The reportOnly method allows you to specify the default reporting treatment for subsequent sources, unless over-ridden. For instance, you could specify that youtube.com was allowed, and then provide several allowed but reported sources:

<?php

$response->addChildSrc('https://youtube.com'); // allowed
$response->reportOnly(true);
$response->addChildSrc('https://metube.com'); // allowed but reported
$response->addChildSrc('https://ourtube.com', false); // allowed

Inline Content 

It is possible to set a website to not protect even inline scripts and styles on its own pages, since this might have been the result of user-generated content. To protect against this, CSP allows you to specify a nonce within the <style> and <script> tags, and to add those values to the response’s header. This is a pain to handle in real life, and is most secure when generated on the fly. To make this simple, you can include a {csp-style-nonce} or {csp-script-nonce} placeholder in the tag and it will be handled for you automatically:

// Original
<script {csp-script-nonce}>
    console.log("Script won't run as it doesn't contain a nonce attribute");
</script>

// Becomes
<script nonce="Eskdikejidojdk978Ad8jf">
    console.log("Script won't run as it doesn't contain a nonce attribute");
</script>

// OR
<style {csp-style-nonce}>
    . . .
</style>

Warning

If an attacker injects a string like <script {csp-script-nonce}>, it might become the real nonce attribute with this functionality. You can customize the placeholder string with the $scriptNonceTag and $styleNonceTag properties in app/Config/ContentSecurityPolicy.php.

If you don’t like this auto replacement functionality, you can turn it off with setting $autoNonce = false in app/Config/ContentSecurityPolicy.php.

In this case, you can use the functions, csp_script_nonce() and csp_style_nonce():

// Original
<script <?= csp_script_nonce() ?>>
    console.log("Script won't run as it doesn't contain a nonce attribute");
</script>

// Becomes
<script nonce="Eskdikejidojdk978Ad8jf">
    console.log("Script won't run as it doesn't contain a nonce attribute");
</script>

// OR
<style <?= csp_style_nonce() ?>>
    . . .
</style>

Class Reference 

Note

In addition to the methods listed here, this class inherits the methods from the Message Class.

The methods provided by the parent class that are available are:

CodeIgniter\HTTP\Message::body()
CodeIgniter\HTTP\Message::setBody()
CodeIgniter\HTTP\Message::populateHeaders()
CodeIgniter\HTTP\Message::headers()
CodeIgniter\HTTP\Message::header()
CodeIgniter\HTTP\Message::headerLine()
CodeIgniter\HTTP\Message::setHeader()
CodeIgniter\HTTP\Message::removeHeader()
CodeIgniter\HTTP\Message::appendHeader()
CodeIgniter\HTTP\Message::protocolVersion()
CodeIgniter\HTTP\Message::setProtocolVersion()
CodeIgniter\HTTP\Message::negotiateMedia()
CodeIgniter\HTTP\Message::negotiateCharset()
CodeIgniter\HTTP\Message::negotiateEncoding()
CodeIgniter\HTTP\Message::negotiateLanguage()
CodeIgniter\HTTP\Message::negotiateLanguage()

CodeIgniter\\HTTP\\Response

getStatusCode()

Returns: The current HTTP status code for this response
Return type: int

Returns the currently status code for this response. If no status code has been set, a BadMethodCallException will be thrown:

<?php

echo $response->getStatusCode();

setStatusCode($code[, $reason=''])

Parameters

$code (int) – The HTTP status code
$reason (string) – An optional reason phrase.

Returns

The current Response instance

Return type

CodeIgniter\HTTP\Response

Sets the HTTP status code that should be sent with this response:

<?php

$response->setStatusCode(404);

The reason phrase will be automatically generated based upon the official lists. If you need to set your own for a custom status code, you can pass the reason phrase as the second parameter:

<?php

$response->setStatusCode(230, 'Tardis initiated');

getReasonPhrase()

Returns: The current reason phrase.
Return type: string

Returns the current status code for this response. If not status has been set, will return an empty string:

<?php

echo $response->getReasonPhrase();

setDate($date)

Parameters

$date (DateTime) – A DateTime instance with the time to set for this response.

Returns

The current response instance.

Return type

CodeIgniter\HTTP\Response

Sets the date used for this response. The $date argument must be an instance of DateTime:

<?php

$date = DateTime::createFromFormat('j-M-Y', '15-Feb-2016');
$response->setDate($date);

setContentType($mime[, $charset='UTF-8'])

Parameters

$mime (string) – The content type this response represents.
$charset (string) – The character set this response uses.

Returns

The current response instance.

Return type

CodeIgniter\HTTP\Response

Sets the content type this response represents:

<?php

$response->setContentType('text/plain');
$response->setContentType('text/html');
$response->setContentType('application/json');

By default, the method sets the character set to UTF-8. If you need to change this, you can pass the character set as the second parameter:

<?php

$response->setContentType('text/plain', 'x-pig-latin');

noCache()

Returns: The current response instance.
Return type: CodeIgniter\HTTP\Response

Sets the Cache-Control header to turn off all HTTP caching. This is the default setting of all response messages:

<?php

$response->noCache();
/*
 * Sets the following header:
 * Cache-Control: no-store, max-age=0, no-cache
 */

setCache($options)

Parameters

$options (array) – An array of key/value cache control settings

Returns

The current response instance.

Return type

CodeIgniter\HTTP\Response

Sets the Cache-Control headers, including ETags and Last-Modified. Typical keys are:

etag
last-modified
max-age
s-maxage
private
public
must-revalidate
proxy-revalidate
no-transform

When passing the last-modified option, it can be either a date string, or a DateTime object.

setLastModified($date)

Parameters

$date (string|DateTime) – The date to set the Last-Modified header to

Returns

The current response instance.

Return type

CodeIgniter\HTTP\Response

Sets the Last-Modified header. The $date object can be either a string or a DateTime instance:

<?php

$response->setLastModified(date('D, d M Y H:i:s'));
$response->setLastModified(DateTime::createFromFormat('u', $time));

send(): Response

Returns: The current response instance.
Return type: CodeIgniter\HTTP\Response

Tells the response to send everything back to the client. This will first send the headers, followed by the response body. For the main application response, you do not need to call this as it is handled automatically by CodeIgniter.

setCookie($name = ''[, $value = ''[, $expire = ''[, $domain = ''[, $path = '/'[, $prefix = ''[, $secure = false[, $httponly = false[, $samesite = null]]]]]]]])

Parameters

$name (array|Cookie|string) – Cookie name or an array of parameters or an instance of CodeIgniter\Cookie\Cookie
$value (string) – Cookie value
$expire (int) – Cookie expiration time in seconds
$domain (string) – Cookie domain
$path (string) – Cookie path
$prefix (string) – Cookie name prefix. If set to '', the default value from app/Config/Cookie.php will be used
$secure (bool) – Whether to only transfer the cookie through HTTPS
$httponly (bool) – Whether to only make the cookie accessible for HTTP requests (no JavaScript)
$samesite (string) – The value for the SameSite cookie parameter. If set to '', no SameSite attribute will be set on the cookie. If set to null, the default value from app/Config/Cookie.php will be used

Return type

void

Sets a cookie containing the values you specify. There are two ways to pass information to this method so that a cookie can be set: Array Method, and Discrete Parameters:

Array Method

Using this method, an associative array is passed as the first parameter:

<?php

$cookie = [
    'name'     => 'The Cookie Name',
    'value'    => 'The Value',
    'expire'   => '86500',
    'domain'   => '.some-domain.com',
    'path'     => '/',
    'prefix'   => 'myprefix_',
    'secure'   => true,
    'httponly' => false,
    'samesite' => 'Lax',
];

$response->setCookie($cookie);

Only the name and value are required. To delete a cookie set it with the expire blank.

The expire is set in seconds, which will be added to the current time. Do not include the time, but rather only the number of seconds from now that you wish the cookie to be valid. If the expire is set to zero the cookie will only last as long as the browser is open.

Note

But if the value is set to empty string and the expire is set to 0, the cookie will be deleted.

For site-wide cookies regardless of how your site is requested, add your URL to the domain starting with a period, like this: .your-domain.com

The path is usually not needed since the method sets a root path.

The prefix is only needed if you need to avoid name collisions with other identically named cookies for your server.

The secure flag is only needed if you want to make it a secure cookie by setting it to true.

The samesite value controls how cookies are shared between domains and sub-domains. Allowed values are 'None', 'Lax', 'Strict' or a blank string ''. If set to blank string, default SameSite attribute will be set.

Discrete Parameters

If you prefer, you can set the cookie by passing data using individual parameters:

<?php

$response->setCookie($name, $value, $expire, $domain, $path, $prefix, $secure, $httponly, $samesite);

deleteCookie($name = ''[, $domain = ''[, $path = '/'[, $prefix = '']]])

Parameters

$name (mixed) – Cookie name or an array of parameters
$domain (string) – Cookie domain
$path (string) – Cookie path
$prefix (string) – Cookie name prefix

Return type

void

Delete an existing cookie.

Only the name is required.

The prefix is only needed if you need to avoid name collisions with other identically named cookies for your server.

Provide a prefix if cookies should only be deleted for that subset. Provide a domain name if cookies should only be deleted for that domain. Provide a path name if cookies should only be deleted for that path.

If any of the optional parameters are empty, then the same-named cookie will be deleted across all that apply.

Example:

<?php

$response->deleteCookie($name);

hasCookie($name = ''[, $value = null[, $prefix = '']])

Parameters

$name (mixed) – Cookie name or an array of parameters
$value (string) – cookie value
$prefix (string) – Cookie name prefix

Return type

bool

Checks to see if the Response has a specified cookie or not.

Notes

Only the name is required. If a prefix is specified, it will be prepended to the cookie name.

If no value is given, the method just checks for the existence of the named cookie. If a value is given, then the method checks that the cookie exists, and that it has the prescribed value.

Example:

<?php

if ($response->hasCookie($name)) {
    // ...
}

getCookie($name = ''[, $prefix = ''])

Parameters

$name (string) – Cookie name
$prefix (string) – Cookie name prefix

Return type

Cookie|Cookie[]|null

Returns the named cookie, if found, or null. If no name is given, returns the array of Cookie objects.

Example:

<?php

$cookie = $response->getCookie($name);

getCookies()

Return type: Cookie[]

Returns all cookies currently set within the Response instance. These are any cookies that you have specifically specified to set during the current request only.