Cover of the book Symfony 5: The Fast Track

Symfony 5: The Fast Track is the best book to learn modern Symfony development, from zero to production. +300 pages showcasing Symfony with Docker, APIs, queues & async tasks, Webpack, SPAs, etc.

New in Symfony 5.1: The "safe" HTTP Preference

Contributed by
Loïck Piera
in #34847.

Some web sites have a "safe" mode to assist those who don't want to be exposed to content to which they might object. Instead of configuring this option for each web site, browser can indicate your safe preference to all web sites.

This feature is fully explained in the RFC 8674 document. Broadly speaking, browsers requesting safe content add the Prefer: safe HTTP header and servers honoring it include these headers in their responses: Preference-Applied: safe and Vary: Prefer.

In Symfony 5.1, we added support for this feature in the HttpFoundation component. First, you can check if a user requested safe content:

1
2
3
4
// $request is an instance of Symfony\Component\HttpFoundation\Request
if ($request->preferSafeContent()) {
    // ...
}

If you fulfilled the safe request, use the setContentSafe() method on the response to add the needed HTTP headers:

1
2
3
4
use Symfony\Component\HttpFoundation\Response;

$response = new Response('...');
$response->setContentSafe();

An important thing to keep in mind is that the RFC 8674 specification doesn't define what can be considered as "safe content". Each web site decides which of their contents are objectionable or unsafe in some way.

Help the Symfony project!

As with any Open-Source project, contributing code or documentation is the most common way to help, but we also have a wide range of sponsoring opportunities.

New in Symfony 5.1: The "safe" HTTP Preference symfony.com/blog/new-in-symfony-5-1-the-safe-http-preference

Tweet this

Comments

Apple has a list of what they consider unsafe content : objectionable content.
https://developer.apple.com/app-store/review/guidelines/#safety

Comments are closed.

To ensure that comments stay relevant, they are closed for old posts.