Http Laravel Package

Product Decisions This Supports

• Standardizing HTTP Abstraction: Adopt this package to unify HTTP request/response handling across Laravel-based applications, reducing inconsistencies in URL manipulation, session management, and cookie handling.
• Security Enhancements: Leverage built-in features like SameSite cookie support, secure session handling, and sanitized file uploads to align with modern security best practices (e.g., GDPR, PCI compliance).
• Proxy/Load Balancer Support: Use RequestFactory::setForceHttps() and X-Forwarded-* handling to ensure correct protocol detection behind proxies (e.g., AWS ALB, Nginx).
• URL/Query String Management: Replace ad-hoc URL parsing with Url::parseQuery() and UrlImmutable for consistent, RFC-compliant URL manipulation (e.g., path normalization, query parameter handling).
• File Upload Sanitization: Integrate FileUpload::getSanitizedName() to mitigate risks like path traversal or malicious filenames in user uploads.
• Cookie/CSP Optimization: Adopt HttpExtension for dynamic CSP policies, SameSite attributes, and cookie path/domain management to reduce cross-site scripting risks.
• PHP Version Compatibility: Future-proof the stack by adopting PHP 8.5+ features (e.g., readonly properties, strict typing) via this package’s updates.
• Performance Improvements: Utilize optimizations like RequestFactory’s port detection fixes and Session’s lazy initialization to reduce overhead in high-traffic APIs.
• Deprecation Roadmap: Plan for gradual migration from deprecated methods (e.g., getReferer(), getRemoteHost()) to avoid technical debt.
• Multi-Region Deployments: Use Url::resolve() and UrlImmutable to handle region-specific URLs (e.g., https://{region}.example.com) dynamically.

When to Consider This Package

• Avoid if:

  • Your stack is monolithic and already uses Laravel’s built-in Illuminate\Http\Request/Response without custom extensions (low incremental value).
  • You need real-time HTTP streaming (e.g., Server-Sent Events) where Laravel’s native tools suffice.
  • Your team lacks PHP/Nette familiarity; the learning curve for DI integration (nette/di) may outweigh benefits.
  • You’re locked into PHP <7.1 or Laravel <5.5 (package requires PHP 7.1+).
  • Your use case is serverless/edge computing (e.g., Cloudflare Workers) where HTTP abstraction layers add latency.

• Consider if:

  • You’re building a microservices architecture with shared HTTP contracts across PHP/Laravel services.
  • You need granular control over cookies/sessions** (e.g., per-tenant isolation, custom session handlers).
  • Your app handles user uploads or sensitive data (sanitization and SameSite cookies are critical).
  • You’re migrating from Nette Framework to Laravel and need HTTP layer parity.
  • You require RFC-compliant URL parsing (e.g., internationalized domains, query string normalization).
  • Your infrastructure uses proxies/load balancers (e.g., Kubernetes Ingress, Cloudflare) and needs reliable X-Forwarded-* handling.

How to Pitch It (Stakeholders)

For Executives:

"This package standardizes how our Laravel apps handle HTTP requests, responses, and sessions—reducing security risks (e.g., cross-site scripting) and improving performance behind proxies. It’s like upgrading from a manual car to an autonomous one for HTTP traffic: fewer bugs, better compliance, and easier scaling. For example, it automatically fixes issues with HTTPS detection behind load balancers (a common pain point in our cloud deployments) and enforces secure cookie policies by default. The cost? Minimal—it’s a drop-in replacement for Laravel’s native HTTP tools, with a one-time integration effort. ROI comes from fewer security incidents and smoother deployments."

For Engineers:

*"nette/http gives us a battle-tested, RFC-compliant HTTP abstraction layer that:

• Fixes proxy headaches: Correctly handles X-Forwarded-* headers and forces HTTPS behind load balancers (e.g., RequestFactory::setForceHttps()).
• Secures sessions/cookies: Enforces SameSite attributes, sanitizes file uploads, and prevents cookie parameter conflicts (e.g., Session::autoStart()).
• Simplifies URLs: Replace messy string manipulation with UrlImmutable for path normalization, query parsing, and IDN (international domain) support.
• Future-proofs PHP: Supports up to PHP 8.5 with strict typing and readonly properties—no more fighting deprecations.
• Integrates cleanly: Works alongside Laravel’s DI container (via nette/di) or standalone. Example: Swap Request::getReferer() with Request::getOrigin() for RFC 6454 compliance.

Trade-offs:

• Adds ~1MB to your vendor directory (negligible for most apps).
• Requires updating deprecated methods (e.g., getRemoteHost() → getRemoteAddress()) over time.
• Steeper learning curve for Nette’s DI system if you’re new to it.

Quick win: Start with FileUpload for sanitization and RequestFactory for proxy support—both solve immediate pain points with minimal refactoring."*