HTTP Response

Nette encapsulates the HTTP response into objects with an understandable API while providing a sanitization filter.

An HTTP response is an Nette\Http\Response object, which you get by passing it using dependency injection. In presenters simply call $httpResponse = $this->getHttpResponse().

Installation and requirements


Unlike Nette\Http\Request, this object is mutable, so you can use setters to change the state, ie to send headers. Remember that all setters must be called before any actual output is sent. The isSent() method tells if output have been sent. If it returns true, each attempt to send a header throws an Nette\InvalidStateException exception.

setCode(int $code, string $reason=null)

Changes a status response code. For better source code readability it is recommended to use predefined constants instead of actual numbers.


getCode(): int

Returns the status code of the response.

isSent(): bool

Returns whether headers have already been sent from the server to the browser, so it is no longer possible to send headers or change the status code.

setHeader(string $name, string $value)

Sends an HTTP header and overwrites previously sent header of the same name.

$httpResponse->setHeader('Pragma', 'no-cache');

addHeader(string $name, string $value)

Sends an HTTP header and doesn't overwrite previously sent header of the same name.

$httpResponse->addHeader('Accept', 'application/json');
$httpResponse->addHeader('Accept', 'application/xml');

deleteHeader(string $name)

Deletes a previously sent HTTP header.

getHeader(string $header): ?string

Returns the sent HTTP header, or null if it does not exist. The parameter is case-insensitive.

$pragma = $httpResponse->getHeader('Pragma');

getHeaders(): array

Returns all sent HTTP headers as associative array.

$headers = $httpResponse->getHeaders();
echo $headers['Pragma'];

setContentType(string $type, string $charset=null)

Sends the header Content-Type.

$httpResponse->setContentType('text/plain', 'UTF-8');

redirect(string $url, int $code=self::S302_Found)void

Redirects to another URL. Don't forget to quit the script then.


setExpiration(?string $time)

Sets the expiration of the HTTP document using the Cache-Control and Expires headers. The parameter is either a time interval (as text) or null, which disables caching.

// browser cache expires in one hour
$httpResponse->setExpiration('1 hour');

sendAsFile(string $fileName)

Response should be downloaded with Save as dialog with specified name. It does not send any file itself to output.


setCookie(string $name, string $value, $time, string $path=null, string $domain=null, bool $secure=null, bool $httpOnly=null, string $sameSite=null)

Sends a cookie. Default parameter values:

$path '/' with scope to all paths on (sub)domain (configurable)
$domain null with scope of the current (sub)domain, but not its subdomains (configurable)
$secure true if the site is running on HTTPS, otherwise false (configurable)
$httpOnly true cookie is inaccessible to JavaScript
$sameSite 'Lax' cookie does not have to be sent when accessed from another origin

You can change the default values of the $path, $domain and $secure parameters in configuration.

The time can be specified as number of seconds or a string:

$httpResponse->setCookie('lang', 'en', '100 days');

The $domain option determines which domains (origins) can accept cookies. If not specified, the cookie is accepted by the same (sub)domain as is set by it, excluding their subdomains. If $domain is specified, then subdomains are also included. Therefore, specifying $domain is less restrictive than omitting. For example, if $domain = '', cookie is also available on all subdomains like

You can use the Response::SameSiteLax, SameSiteStrict and SameSiteNone constants for the $sameSite value.

deleteCookie(string $name, string $path=null, string $domain=null, bool $secure=null)void

Deletes a cookie. The default values ​​of the parameters are:

  • $path with scope to all directories ('/')
  • $domain with scope of the current (sub)domain, but not its subdomains
  • $secure is affected by the settings in configuration
version: 4.0 3.x 2.x