Search by 
oihana / php-http
Composable PHP HTTP toolkit โ client IP detection (X-Forwarded-For chain walking + CIDR + IPv4/IPv6), typed Set-Cookie header builders, signed URLs, content negotiation, user-agent parsing. PSR-7 compatible, zero magic strings.
Maintainers
1.2.0
2026-06-04 09:51 UTC
Requires
- php: >=8.4
- oihana/php-core: dev-main
- oihana/php-enums: dev-main
- oihana/php-files: dev-main
- oihana/php-reflect: dev-main
- oihana/php-schema: dev-main
- oihana/php-standards: dev-main
- psr/http-message: ^2.0
Requires (Dev)
- nunomaduro/collision: ^8.8
- phpdocumentor/shim: ^3.8
- phpunit/phpunit: ^12
- slim/psr7: ^1.7
README
Composable PHP HTTP toolkit. Part of the Oihana PHP ecosystem, this package provides battle-tested helpers for HTTP-facing code: client IP detection against reverse proxies, GDPR-compliant anonymisation, typed Set-Cookie builders and parsers, PSR-7 authentication and request inspection helpers, content negotiation, HTTP dates, URL/query string toolkit, HMAC signatures for signed URLs and webhooks, User-Agent parser. PSR-7 compatible, zero magic strings.
๐ Documentation
Full API reference (generated with phpDocumentor): https://bcommebois.github.io/oihana-php-http
User guides (FR + EN) live under wiki/.
๐ฆ Installation
Requires PHP 8.4+. Install via Composer:
composer require oihana/php-http
โจ What you can do
Network & IP
- Detect the real client IP behind a chain of trusted reverse proxies. Walks
X-Forwarded-Forright-to-left, skips trusted hops via CIDR matching, falls back onForwarded(RFC 7239),X-Real-IPandREMOTE_ADDR. Validates IPv4 and IPv6, normalizes IPv4-mapped IPv6, strips IPv6 zone IDs. - Anonymise IPs for GDPR-friendly logging โ
truncateIpToSlash24()(IPv4 โ/24),truncateIpToSlash48()(IPv6 โ/48, BfDI/BSI recommendation), oranonymizeIp()for a single entry point routing by address family.
Cookies
- Build & parse
Set-Cookie/Cookieheaders with strict validation (rejects CRLF injection, control characters, malformed names). Typed attributes:HttpOnly,Secure,SameSite=Strict|Lax|None,Domain,Path,Max-Age,Expires(RFC 7231 IMF-fixdate),Priority(Low|Medium|High),Partitioned(CHIPS).
Auth & PSR-7 request inspection
- Authorization helpers โ
parseAuthorizationHeader(),getBearerToken(),getBasicAuth()(RFC 7617 split on first colon). - Request inspection โ
wantsJson(),isAjax(),isHttpsRequest()(with anti-spoofing trusted-proxy filter symmetric withgetClientIp()).
Content negotiation
Accept*parser โparseAcceptHeader()is a single universal parser forAccept,Accept-LanguageandAccept-Encoding(same RFC 7231 ยง5.3 grammar). Returns entries sorted by q-value, stable on ties.negotiate()โ best-match selection with wildcard support (*,*/*,type/*), case-preserving candidate return.parseContentType()โ{type, charset, boundary, params}tuple, case-insensitive on type/charset, case-preserving on boundary.
Dates, URLs, signatures
- HTTP dates โ
parseHttpDate()accepts all three RFC 7231 ยง7.1.1.1 formats (IMF-fixdate, RFC 850, asctime);formatHttpDate()emits IMF-fixdate from anyDateTimeInterfaceconverted to UTC. - URL & query string toolkit โ
parseQueryString()/buildQueryString()preserve duplicates,withQueryParams()/removeQueryParam()immutable PSR-7 updates,normalizeUrl()canonical form,isAbsoluteUrl(),getHost()normalised host extraction,isPublicUrl()/isLocalUrl()(local / private / reserved host detection),withUrlComponents()derive a URL by replacing/removing components. - HMAC signatures โ
signUrl()/verifySignedUrl()for pre-signed URLs with TTL;verifyHmacSignature()for webhook payload verification (Stripe / GitHub / Slack / Mailchimp).
User-Agent
- Pragmatic, dependency-free parser โ
parseUserAgent()returns a structuredUserAgentInfoDTO (browser, OS, device class, bot flag). PredicatesisBotUserAgent()andisMobileUserAgent()for the common one-shot questions.
Under the hood
- Consistent typed enums and constants โ
CookieAttribute,CookieOption,CookiePriority,SameSite,SetCookieField,AcceptField,ContentTypeField,AuthorizationField,BasicAuthField,BrowserName,OsName,SignatureFormat,SignedUrlField. - Pure PSR-7 โ no framework lock-in. Works with Slim, Laravel, Symfony HTTP Foundation (via PSR-7 bridge), Hyperf, RoadRunner, etc.
- Strongly-typed enums and constants โ no magic strings anywhere.
- Constant-time HMAC comparisons (
hash_equals()) โ safe against timing-side-channel attacks.
โ Running tests
Run all tests:
composer test
Run a specific test file:
composer test ./tests/oihana/http/helpers/ips/GetClientIpTest.php
๐ ๏ธ Generate the documentation
We use phpDocumentor to generate documentation into the ./docs folder.
composer doc
๐งพ License
Licensed under the Mozilla Public License 2.0 (MPLโ2.0).
๐ค About the author
- Author: Marc ALCARAZ (aka eKameleon)
- Email:
marc@ooop.fr - Website:
https://www.ooop.fr
๐ Related packages
oihana/php-coreโ core helpers and utilities (base64UrlEncode/base64UrlDecodeconsumed bysignUrl):https://github.com/BcommeBois/oihana-php-coreoihana/php-enumsโ typed constants & enums (HttpHeader,AuthScheme, โฆ):https://github.com/BcommeBois/oihana-php-enumsoihana/php-filesโ file system helpers (joinPathsfor URL path concatenation):https://github.com/BcommeBois/oihana-php-filesoihana/php-reflectโ reflection and hydration utilities (ConstantsTraitpowering every enum class):https://github.com/BcommeBois/oihana-php-reflectoihana/php-schemaโ shared DTOs (UserAgentInforeturned byparseUserAgent,Session, โฆ):https://github.com/BcommeBois/oihana-php-schemaoihana/php-standardsโ standard date formats (DateFormat::RFC7231used byformatHttpDateand the cookieExpiresattribute):https://github.com/BcommeBois/oihana-php-standardsoihana/php-authโ Casbin RBAC + JWT/OIDC authorization toolkit, consumer of the IP and cookie helpers:https://github.com/BcommeBois/oihana-php-auth