HTTP Configuration

Overview of configuration options for Nette HTTP.

If you are not using the entire framework, but only this library, read how to load the configuration.

HTTP Headers

http:
	# headers that are sent with each request
	headers:
		X-Powered-By: MyCMS
		X-Content-Type-Options: nosniff
		X-XSS-Protection: '1; mode=block'

	# affects the X-Frame-Options header
	frames: ...      # (string|bool) defaults to 'SAMEORIGIN'

For security reasons, the framework sends the X-Frame-Options: SAMEORIGIN header, which indicates that a page can be displayed inside another page (in an <iframe> element) only if it is on the same domain. This might be undesirable in certain situations (e.g., if you are developing a Facebook application), so the behavior can be changed by setting frames: http://allowed-host.com or frames: true.

Content Security Policy

Headers Content-Security-Policy (CSP) can be easily configured; their description can be found in the CSP specification. CSP directives (such as script-src) can be written either as strings according to the specification or as arrays of values for better readability. Then there is no need to use quotation marks around keywords like 'self'. Nette will also automatically generate a nonce value, so something like 'nonce-y4PopTLM==' will be sent in the header.

http:
	# Content Security Policy
	csp:
		# string according to the CSP specification
		default-src: "'self' https://example.com"

		# array of values
		script-src:
			- nonce
			- strict-dynamic
			- self
			- https://example.com

		# bool in the case of switches
		upgrade-insecure-requests: true
		block-all-mixed-content: false

Use <script n:nonce>...</script> in templates, and the nonce value will be filled in automatically. Making secure websites in Nette is really easy.

Similarly, Content-Security-Policy-Report-Only headers (which can be used concurrently with CSP) and Feature Policy can be configured:

http:
	# Content Security Policy Report-Only
	cspReportOnly:
		default-src: self
		report-uri: 'https://my-report-uri-endpoint'

	# Feature Policy
	featurePolicy:
		unsized-media: none
		geolocation:
			- self
			- https://example.com

You can change the default values of some parameters of the Nette\Http\Response::setCookie() method and session handling.

http:
	# cookie scope by path
	cookiePath: ...          # (string) defaults to '/'

	# domains that can receive the cookie
	cookieDomain: 'example.com'  # (string|domain) defaults to unset

	# send cookies only via HTTPS?
	cookieSecure: ...        # (bool|auto) defaults to auto

	# disables sending the cookie that Nette uses for CSRF protection
	disableNetteCookie: ...  # (bool) defaults to false

The cookieDomain attribute determines which domains (origins) can accept cookies. If not specified, the cookie is accepted by the same (sub)domain that set it, excluding its subdomains. If cookieDomain is specified, subdomains are also included. Therefore, specifying cookieDomain is less restrictive than omitting it.

For example, if cookieDomain: nette.org is set, cookies are also available on all subdomains like doc.nette.org. This can also be achieved with the special value domain, i.e., cookieDomain: domain.

The default value auto for the cookieSecure attribute means that if the website runs on HTTPS, cookies will be sent with the Secure flag and will therefore only be available via HTTPS.

HTTP Proxy

If the site runs behind an HTTP proxy, enter the proxy's IP address so that HTTPS connection detection and the client's IP address work correctly. That is, so that Nette\Http\Request::getRemoteAddress() and isSecured() return the correct values, and links are generated with the https: protocol in templates.

http:
	# IP address, range (e.g., 127.0.0.1/8), or an array of these values
	proxy: 127.0.0.1       # (string|string[]) defaults to not set

Session

Basic sessions settings:

session:
	# show the session panel in Tracy Bar?
	debugger: ...        # (bool) defaults to false

	# inactivity time after which the session expires
	expiration: 14 days  # (string) defaults to '3 hours'

	# when should the session start?
	autoStart: ...       # (smart|always|never) defaults to 'smart'

	# handler, a service implementing SessionHandlerInterface
	handler: @handlerService

The autoStart option controls when the session should start. The value always means the session starts whenever the application starts. The value smart means the session starts with the application only if it already exists, or at the moment we want to read from or write to it. Finally, the value never disables the automatic start of the session.

Furthermore, you can set all PHP session directives (in camelCase format) and also readAndClose. Example:

session:
	# 'session.name' written as 'name'
	name: MYID

	# 'session.save_path' written as 'savePath'
	savePath: "%tempDir%/sessions"

The session cookie is sent with the same parameters as other cookies, but you can change these specifically for it:

session:
	# domains that can receive the cookie
	cookieDomain: 'example.com'   # (string|domain)

	# restriction for cross-origin access
	cookieSamesite: None          # (Strict|Lax|None) defaults to Lax

The cookieSamesite attribute affects whether the cookie is sent with cross-origin requests, which provides some protection against Cross-Site Request Forgery (CSRF) attacks.

DI Services

These services are added to the DI container:

Name Type Description
http.request Nette\Http\Request HTTP request
http.response Nette\Http\Response HTTP response
session.session Nette\Http\Session session management
version: 4.0 3.x 2.x