HTTP Response

Nette encapsulates the HTTP response into objects with a clear API.

The HTTP response is represented by the Nette\Http\Response object. If you are working with Nette, this object is automatically created by the framework, and you can have it passed to you using dependency injection. In presenters, simply call the $this->getHttpResponse() method.

Installation and requirements

Nette\Http\Response

Unlike Nette\Http\Request, this object is mutable, so you can use setters to change the state, e.g., to send headers. Remember that all setters must be called before any actual output is sent. The isSent() method indicates if the output has already been sent. If it returns true, any attempt to send a header will throw an Nette\InvalidStateException.

setCode (int $code, ?string $reason=null)

Changes the status response code. For better source code readability, it is recommended to use predefined constants instead of actual numbers.

$httpResponse->setCode(Nette\Http\Response::S404_NotFound);

getCode(): int

Returns the status code of the response.

isSent(): bool

Returns whether headers have already been sent from the server to the browser, meaning it is no longer possible to send headers or change the status code.

setHeader (string $name, ?string $value)

Sends an HTTP header and overwrites a previously sent header of the same name. If $value is null, the header will be removed.

$httpResponse->setHeader('Pragma', 'no-cache');

addHeader (string $name, string $value)

Sends an HTTP header and does not overwrite a previously sent header of the same name.

$httpResponse->addHeader('Accept', 'application/json');
$httpResponse->addHeader('Accept', 'application/xml');

deleteHeader (string $name)

Deletes a previously sent HTTP header.

getHeader (string $header): ?string

Returns the sent HTTP header or null if it doesn't exist. The parameter is case-insensitive.

$pragma = $httpResponse->getHeader('Pragma');

getHeaders(): array

Returns all sent HTTP headers as an associative array.

$headers = $httpResponse->getHeaders();
echo $headers['Pragma'];

setContentType (string $type, ?string $charset=null)

Changes the Content-Type header.

$httpResponse->setContentType('text/plain', 'UTF-8');

redirect (string $url, int $code=self::S302_Found)void

Redirects to another URL. Remember to terminate the script afterwards.

$httpResponse->redirect('http://example.com');
exit;

setExpiration (?string $time)

Sets the expiration of the HTTP document using the Cache-Control and Expires headers. The parameter is either a time interval (as text) or null, which disables caching.

// browser cache expires in one hour
$httpResponse->setExpiration('1 hour');

sendAsFile (string $fileName)

The response will be downloaded via a Save as dialog box with the specified name. It does not send the file itself.

$httpResponse->sendAsFile('invoice.pdf');

setCookie (string $name, string $value, $time, ?string $path=null, ?string $domain=null, ?bool $secure=null, ?bool $httpOnly=null, SameSite|string $sameSite='Lax', bool $partitioned=false)

Sends a cookie. Default parameter values:

$path '/' cookie is available for all paths within the (sub)domain (configurable)
$domain null meaning available for the current (sub)domain, but not its subdomains (configurable)
$secure true if the site is running on HTTPS, otherwise false (configurable)
$httpOnly true cookie is inaccessible to JavaScript
$sameSite 'Lax' cookie might not be sent during cross-origin access
$partitioned false whether the cookie is partitioned, see below (since v3.4)

You can change the default values of the $path, $domain, and $secure parameters in the configuration.

The time can be specified as a number of seconds or a string:

$httpResponse->setCookie('lang', 'en', '100 days');

The $domain parameter determines which domains can accept the cookie. If not specified, the cookie is accepted by the same (sub)domain that set it, but not its subdomains. If $domain is specified, subdomains are also included. Therefore, specifying $domain is less restrictive than omitting it. For example, with $domain = 'nette.org', cookies are also available on all subdomains like doc.nette.org.

You can pass the $sameSite value as a Nette\Http\SameSite enum – SameSite::Lax, SameSite::Strict, or SameSite::None (the string values 'Lax', 'Strict', 'None' work too). If you set it to SameSite::None, the $secure attribute is enabled automatically, because browsers reject a SameSite=None cookie that is not secure.

Partitioned cookies (CHIPS) give a cookie its own separate storage for each top-level site. So when a third-party service (such as an embedded widget) sets a partitioned cookie, the browser keeps a distinct copy for every site the widget appears on, and these copies cannot be linked together for cross-site tracking. Turn it on by setting $partitioned to true; this also requires the $secure attribute, so it is enabled automatically.

$httpResponse->setCookie('theme', 'dark', '1 year', sameSite: SameSite::None, partitioned: true);

deleteCookie (string $name, ?string $path=null, ?string $domain=null, ?bool $secure=null)void

Deletes a cookie. The default values of the parameters are:

  • $path with scope to all directories ('/')
  • $domain with scope to the current (sub)domain, but not its subdomains
  • $secure depends on the settings in the configuration
$httpResponse->deleteCookie('lang');
  1. Documentation
  2. Nette HTTP
  3. HTTP Response
version: 4.0 3.x 2.x