Http Laravel Package

Getting Started

Start by installing via Composer: composer require nette/http. This package provides core HTTP abstractions—Request, Response, Url, FileUpload, and Session management—ideal for building HTTP-aware PHP applications, especially when used with Nette DI (though it works standalone).
Your first practical use case is handling incoming requests: inject or instantiate Nette\Http\Request (via Nette\Http\RequestFactory) to safely access sanitized user input:

$request = $requestFactory->fromGlobals();
$path = $request->getUrl()->getPath(); // Sanitized path, e.g. '/api/users'
$name = $request->getQuery('name'); // Auto-decoded query parameter
$file = $request->getFile('avatar'); // Nette\Http\FileUpload instance

Check Nette\Http docs for the full API surface—start with Request, Response, and Url classes.

Implementation Patterns

• Separate Concerns with DI: In Nette apps, use Nette\Http\Request and Nette\Http\Response as injected services (via DI extensions) to avoid direct $_SERVER access and ensure testability.
• Idempotent URL Manipulation: Use UrlImmutable for building safe, chainable URLs (e.g., generating redirects):

  $url = (new Url('https://example.com/api'))
      ->withQueryParameter('page', 2)
      ->withFragment('top');
  

• Robust File Handling: Use FileUpload for validated uploads—leverage getSanitizedName(), getSuggestedExtension(), and isImage() for safe storage and preview generation.
• Secure Session Management: Use Nette\Http\Session (with SessionSection) for typed, namespaced sessions:

  $session = new Session($request, $response);
  $userSection = $session->getSection('user');
  $userSection->set('lastLogin', new DateTimeImmutable());
  

• Proxy-Aware Requests: Configure trusted proxies in RequestFactory to correctly resolve getUri(), isHttps(), and client IPs when behind load balancers:

  $factory = new RequestFactory;
  $factory->setTrustedProxies(['10.0.0.0/8', '192.168.0.0/16']);
  

Gotchas and Tips

• Deprecations Matter: In v3.1+, several methods are silently deprecated—avoid getReferer(), getRemoteHost(), and magic session accessors ($session->foo). Use getOrigin(), getBasicCredentials(), and explicit get()/set() instead.
• SameSite Defaults: Cookie SameSite is Lax by default since v3.1—ensure compatibility in cross-site flows (e.g., OAuth callbacks) by explicitly setting None; Secure.
• Proxy Headers: Be cautious with X-Forwarded-For parsing—RequestFactory now properly ignores non-IP values and respects trusted proxy ranges. Always configure trusted proxies explicitly in production.
• File Upload Extensions: getSanitizedName() only modifies extensions for images. If validating non-image uploads, pair with getUploadErrorCode() and isImage() checks.
• Session Auto-Start: v3.0+ defaults autoStart = false to prevent session fixation. If reading session data before writing, explicitly call $session->start() or use $session->autoStart(true).
• URL Canonicalization: Prefer UrlImmutable over Url for immutable transformations. Use resolve() for path resolution and canonicalize() for consistent query/fragment encoding.
• PHP Version Alignment: Ensure PHP 8.1+ for v3.x (v3.3.0+ requires 8.1), as scalar return types and readonly properties are used heavily—avoid mixing v2 and v3 in same codebase.