WSGI Request & Response#
Instances of the falcon.Request
and
falcon.Response
classes are passed into WSGI app responders as the
second and third arguments, respectively:
import falcon
class Resource:
def on_get(self, req, resp):
resp.media = {'message': 'Hello world!'}
resp.status = falcon.HTTP_200
# -- snip --
app = falcon.App()
app.add_route('/', Resource())
Request#
- class falcon.Request(env: Dict[str, Any], options: RequestOptions | None = None)[source]#
Represents a client’s HTTP request.
Note
Request is not meant to be instantiated directly by responders.
- Parameters:
env (dict) – A WSGI environment dict passed in from the server. See also PEP-3333.
- Keyword Arguments:
options (RequestOptions) – Set of global options passed from the App handler.
- property access_route: List[str]#
IP address of the original client, as well as any known addresses of proxies fronting the WSGI server.
The following request headers are checked, in order of preference, to determine the addresses:
Forwarded
X-Forwarded-For
X-Real-IP
If none of these headers are available, the value of
remote_addr
is used instead.Note
Per RFC 7239, the access route may contain “unknown” and obfuscated identifiers, in addition to IPv4 and IPv6 addresses
Warning
Headers can be forged by any client or proxy. Use this property with caution and validate all values before using them. Do not rely on the access route to authorize requests.
- property bounded_stream: BoundedStream#
File-like wrapper around stream to normalize certain differences between the native input objects employed by different WSGI servers. In particular, bounded_stream is aware of the expected Content-Length of the body, and will never block on out-of-bounds reads, assuming the client does not stall while transmitting the data to the server.
For example, the following will not block when Content-Length is 0 or the header is missing altogether:
data = req.bounded_stream.read()
This is also safe:
doc = json.load(req.bounded_stream)
- client_accepts(media_type: str) bool [source]#
Determine whether or not the client accepts a given media type.
- property client_accepts_json: bool#
True
if the Accept header indicates that the client is willing to receive JSON, otherwiseFalse
.
- property client_accepts_msgpack: bool#
True
if the Accept header indicates that the client is willing to receive MessagePack, otherwiseFalse
.
- property client_accepts_xml: bool#
True
if the Accept header indicates that the client is willing to receive XML, otherwiseFalse
.
- client_prefers(media_types: Iterable[str]) str | None [source]#
Return the client’s preferred media type, given several choices.
- Parameters:
media_types (iterable of str) – One or more Internet media types from which to choose the client’s preferred type. This value must be an iterable collection of strings.
- Returns:
The client’s preferred media type, based on the Accept header. Returns
None
if the client does not accept any of the given types.- Return type:
- property content_length: int | None#
Value of the Content-Length header converted to an
int
.Returns
None
if the header is missing.
- context: Context#
Empty object to hold any data (in its attributes) about the request which is specific to your app (e.g. session object). Falcon itself will not interact with this attribute after it has been initialized.
Note
The preferred way to pass request-specific data, when using the default context type, is to set attributes directly on the context object. For example:
req.context.role = 'trial' req.context.user = 'guest'
- property cookies: Mapping[str, str]#
A dict of name/value cookie pairs.
The returned object should be treated as read-only to avoid unintended side-effects. If a cookie appears more than once in the request, only the first value encountered will be made available here.
See also:
get_cookie_values()
orget_cookie_values()
.
- property date: datetime | None#
Value of the Date header, converted to a
datetime
instance.The header value is assumed to conform to RFC 1123.
Changed in version 4.0: This property now returns timezone-aware
datetime
objects (orNone
).
- env: Dict[str, Any]#
Reference to the WSGI environ
dict
passed in from the server. (See also PEP-3333.)
- property forwarded: List[Forwarded] | None#
Value of the Forwarded header, as a parsed list of
falcon.Forwarded
objects, orNone
if the header is missing. If the header value is malformed, Falcon will make a best effort to parse what it can.(See also: RFC 7239, Section 4)
- property forwarded_host: str#
Original host request header as received by the first proxy in front of the application server.
The following request headers are checked, in order of preference, to determine the forwarded scheme:
Forwarded
X-Forwarded-Host
If none of the above headers are available, or if the Forwarded header is available but the “host” parameter is not included in the first hop, the value of
host
is returned instead.Note
Reverse proxies are often configured to set the Host header directly to the one that was originally requested by the user agent; in that case, using
host
is sufficient.(See also: RFC 7239, Section 4)
- property forwarded_prefix: str#
The prefix of the original URI for proxied requests.
Uses
forwarded_scheme
andforwarded_host
in order to reconstruct the original URI.
- property forwarded_scheme: str#
Original URL scheme requested by the user agent, if the request was proxied.
Typical values are ‘http’ or ‘https’.
The following request headers are checked, in order of preference, to determine the forwarded scheme:
Forwarded
X-Forwarded-For
If none of these headers are available, or if the Forwarded header is available but does not contain a “proto” parameter in the first hop, the value of
scheme
is returned instead.(See also: RFC 7239, Section 1)
- property forwarded_uri: str#
Original URI for proxied requests.
Uses
forwarded_scheme
andforwarded_host
in order to reconstruct the original URI requested by the user agent.
- get_cookie_values(name: str) List[str] | None [source]#
Return all values provided in the Cookie header for the named cookie.
(See also: Getting Cookies)
- Parameters:
name (str) – Cookie name, case-sensitive.
- Returns:
Ordered list of all values specified in the Cookie header for the named cookie, or
None
if the cookie was not included in the request. If the cookie is specified more than once in the header, the returned list of values will preserve the ordering of the individualcookie-pair
’s in the header.- Return type:
- get_header(name: str, required: Literal[True], default: str | None = None) str [source]#
- get_header(name: str, required: bool = False, *, default: str) str
- get_header(name: str, required: bool = False, default: str | None = None) str | None
Retrieve the raw string value for the given header.
- Parameters:
name (str) – Header name, case-insensitive (e.g., ‘Content-Type’)
- Keyword Arguments:
required (bool) – Set to
True
to raiseHTTPBadRequest
instead of returning gracefully when the header is not found (defaultFalse
).default (any) – Value to return if the header is not found (default
None
).
- Returns:
The value of the specified header if it exists, or the default value if the header is not found and is not required.
- Return type:
- Raises:
HTTPBadRequest – The header was not found in the request, but it was required.
- get_header_as_datetime(header: str, required: Literal[True], obs_date: bool = False) datetime [source]#
- get_header_as_datetime(header: str, required: bool = False, obs_date: bool = False) datetime | None
Return an HTTP header with HTTP-Date values as a datetime.
- Parameters:
name (str) – Header name, case-insensitive (e.g., ‘Date’)
- Keyword Arguments:
- Returns:
The value of the specified header if it exists, or
None
if the header is not found and is not required.- Return type:
datetime
- Raises:
HTTPBadRequest – The header was not found in the request, but it was required.
HttpInvalidHeader – The header contained a malformed/invalid value.
Changed in version 4.0: This method now returns timezone-aware
datetime
objects.
- get_header_as_int(header: str, required: Literal[True]) int [source]#
- get_header_as_int(header: str, required: bool = False) int | None
Retrieve the int value for the given header.
- Parameters:
name (str) – Header name, case-insensitive (e.g., ‘Content-Length’)
- Keyword Arguments:
required (bool) – Set to
True
to raiseHTTPBadRequest
instead of returning gracefully when the header is not found (defaultFalse
).- Returns:
The value of the specified header if it exists, or
None
if the header is not found and is not required.- Return type:
- Raises:
HTTPBadRequest – The header was not found in the request, but it was required.
HttpInvalidHeader – The header contained a malformed/invalid value.
Added in version 4.0.
- get_media(default_when_empty: Literal[_Unset.UNSET] | Any = _Unset.UNSET) Any [source]#
Return a deserialized form of the request stream.
The first time this method is called, the request stream will be deserialized using the Content-Type header as well as the media-type handlers configured via
falcon.RequestOptions
. The result will be cached and returned in subsequent calls:deserialized_media = req.get_media()
If the matched media handler raises an error while attempting to deserialize the request body, the exception will propagate up to the caller.
See also Media for more information regarding media handling.
Note
When
get_media
is called on a request with an empty body, Falcon will let the media handler try to deserialize the body and will return the value returned by the handler or propagate the exception raised by it. To instead return a different value in case of an exception by the handler, specify the argumentdefault_when_empty
.Warning
This operation will consume the request stream the first time it’s called and cache the results. Follow-up calls will just retrieve a cached version of the object.
- Parameters:
default_when_empty – Fallback value to return when there is no body in the request and the media handler raises an error (like in the case of the default JSON media handler). By default, Falcon uses the value returned by the media handler or propagates the raised exception, if any. This value is not cached, and will be used only for the current call.
- Returns:
The deserialized media representation.
- Return type:
media (object)
- get_param(name: str, required: Literal[True], store: Dict[str, Any] | None = None, default: str | None = None) str [source]#
- get_param(name: str, required: bool = False, store: Dict[str, Any] | None = None, *, default: str) str
- get_param(name: str, required: bool = False, store: Dict[str, Any] | None = None, default: str | None = None) str | None
Return the raw value of a query string parameter as a string.
Note
If an HTML form is POSTed to the API using the application/x-www-form-urlencoded media type, Falcon can automatically parse the parameters from the request body and merge them into the query string parameters. To enable this functionality, set
auto_parse_form_urlencoded
toTrue
viaApp.req_options
.Note, however, that the
auto_parse_form_urlencoded
option is considered deprecated as of Falcon 3.0 in favor of accessing the URL-encoded form viamedia
, and it may be removed in a future release.See also: How can I access POSTed form params?
Note
Similar to the way multiple keys in form data are handled, if a query parameter is included in the query string multiple times, only one of those values will be returned, and it is undefined which one. This caveat also applies when
auto_parse_qs_csv
is enabled and the given parameter is assigned to a comma-separated list of values (e.g.,foo=a,b,c
).When multiple values are expected for a parameter,
get_param_as_list()
can be used to retrieve all of them at once.- Parameters:
name (str) – Parameter name, case-sensitive (e.g., ‘sort’).
- Keyword Arguments:
required (bool) – Set to
True
to raiseHTTPBadRequest
instead of returningNone
when the parameter is not found (defaultFalse
).store (dict) – A
dict
-like object in which to place the value of the param, but only if the param is present.default (any) – If the param is not found returns the given value instead of
None
- Returns:
The value of the param as a string, or
None
if param is not found and is not required.- Return type:
- Raises:
HTTPBadRequest – A required param is missing from the request.
- get_param_as_bool(name: str, required: Literal[True], store: Dict[str, Any] | None = None, blank_as_true: bool = True, default: bool | None = None) bool [source]#
- get_param_as_bool(name: str, required: bool = False, store: Dict[str, Any] | None = None, blank_as_true: bool = True, *, default: bool) bool
- get_param_as_bool(name: str, required: bool = False, store: Dict[str, Any] | None = None, blank_as_true: bool = True, default: bool | None = None) bool | None
Return the value of a query string parameter as a boolean.
This method treats valueless parameters as flags. By default, if no value is provided for the parameter in the query string,
True
is assumed and returned. If the parameter is missing altogether,None
is returned as with otherget_param_*()
methods, which can be easily treated as falsy by the caller as needed.The following boolean strings are supported:
TRUE_STRINGS = ('true', 'True', 't', 'yes', 'y', '1', 'on') FALSE_STRINGS = ('false', 'False', 'f', 'no', 'n', '0', 'off')
- Parameters:
name (str) – Parameter name, case-sensitive (e.g., ‘detailed’).
- Keyword Arguments:
required (bool) – Set to
True
to raiseHTTPBadRequest
instead of returningNone
when the parameter is not found or is not a recognized boolean string (defaultFalse
).store (dict) – A
dict
-like object in which to place the value of the param, but only if the param is found (defaultNone
).blank_as_true (bool) – Valueless query string parameters are treated as flags, resulting in
True
being returned when such a parameter is present, andFalse
otherwise. To require the client to explicitly opt-in to a truthy value, passblank_as_true=False
to returnFalse
when a value is not specified in the query string.default (any) – If the param is not found, return this value instead of
None
.
- Returns:
The value of the param if it is found and can be converted to a
bool
. If the param is not found, returnsNone
unless required isTrue
.- Return type:
- Raises:
HTTPBadRequest – A required param is missing from the request, or can not be converted to a
bool
.
- get_param_as_date(name: str, format_string: str = '%Y-%m-%d', *, required: Literal[True], store: Dict[str, Any] | None = None, default: date | None = None) date [source]#
- get_param_as_date(name: str, format_string: str = '%Y-%m-%d', required: bool = False, store: Dict[str, Any] | None = None, *, default: date) date
- get_param_as_date(name: str, format_string: str = '%Y-%m-%d', required: bool = False, store: Dict[str, Any] | None = None, default: date | None = None) date | None
Return the value of a query string parameter as a date.
- Parameters:
name (str) – Parameter name, case-sensitive (e.g., ‘ids’).
- Keyword Arguments:
format_string (str) – String used to parse the param value into a date. Any format recognized by strptime() is supported (default
"%Y-%m-%d"
).required (bool) – Set to
True
to raiseHTTPBadRequest
instead of returningNone
when the parameter is not found (defaultFalse
).store (dict) – A
dict
-like object in which to place the value of the param, but only if the param is found (defaultNone
).default (any) – If the param is not found returns the given value instead of
None
- Returns:
The value of the param if it is found and can be converted to a
date
according to the supplied format string. If the param is not found, returnsNone
unless required isTrue
.- Return type:
- Raises:
HTTPBadRequest – A required param is missing from the request, or the value could not be converted to a
date
.
- get_param_as_datetime(name: str, format_string: str = '%Y-%m-%dT%H:%M:%S%z', *, required: Literal[True], store: Dict[str, Any] | None = None, default: datetime | None = None) datetime [source]#
- get_param_as_datetime(name: str, format_string: str = '%Y-%m-%dT%H:%M:%S%z', required: bool = False, store: Dict[str, Any] | None = None, *, default: datetime) datetime
- get_param_as_datetime(name: str, format_string: str = '%Y-%m-%dT%H:%M:%S%z', required: bool = False, store: Dict[str, Any] | None = None, default: datetime | None = None) datetime | None
Return the value of a query string parameter as a datetime.
- Parameters:
name (str) – Parameter name, case-sensitive (e.g., ‘ids’).
- Keyword Arguments:
format_string (str) – String used to parse the param value into a
datetime
. Any format recognized by strptime() is supported (default'%Y-%m-%dT%H:%M:%S%z'
).required (bool) – Set to
True
to raiseHTTPBadRequest
instead of returningNone
when the parameter is not found (defaultFalse
).store (dict) – A
dict
-like object in which to place the value of the param, but only if the param is found (defaultNone
).default (any) – If the param is not found returns the given value instead of
None
- Returns:
The value of the param if it is found and can be converted to a
datetime
according to the supplied format string. If the param is not found, returnsNone
unless required isTrue
.- Return type:
- Raises:
HTTPBadRequest – A required param is missing from the request, or the value could not be converted to a
datetime
.
Changed in version 4.0: The default value of format_string was changed from
'%Y-%m-%dT%H:%M:%SZ'
to'%Y-%m-%dT%H:%M:%S%z'
.The new format is a superset of the old one parsing-wise, however, the converted
datetime
object is now timezone-aware.
- get_param_as_float(name: str, required: Literal[True], min_value: float | None = None, max_value: float | None = None, store: Dict[str, Any] | None = None, default: float | None = None) float [source]#
- get_param_as_float(name: str, required: bool = False, min_value: float | None = None, max_value: float | None = None, store: Dict[str, Any] | None = None, *, default: float) float
- get_param_as_float(name: str, required: bool = False, min_value: float | None = None, max_value: float | None = None, store: Dict[str, Any] | None = None, default: float | None = None) float | None
Return the value of a query string parameter as an float.
- Parameters:
name (str) – Parameter name, case-sensitive (e.g., ‘limit’).
- Keyword Arguments:
required (bool) – Set to
True
to raiseHTTPBadRequest
instead of returningNone
when the parameter is not found or is not an float (defaultFalse
).min_value (float) – Set to the minimum value allowed for this param. If the param is found and it is less than min_value, an
HTTPError
is raised.max_value (float) – Set to the maximum value allowed for this param. If the param is found and its value is greater than max_value, an
HTTPError
is raised.store (dict) – A
dict
-like object in which to place the value of the param, but only if the param is found (defaultNone
).default (any) – If the param is not found returns the given value instead of
None
- Returns:
The value of the param if it is found and can be converted to an
float
. If the param is not found, returnsNone
, unless required isTrue
.- Return type:
- Raises
- HTTPBadRequest: The param was not found in the request, even though
it was required to be there, or it was found but could not be converted to an
float
. Also raised if the param’s value falls outside the given interval, i.e., the value must be in the interval: min_value <= value <= max_value to avoid triggering an error.
- get_param_as_int(name: str, required: Literal[True], min_value: int | None = None, max_value: int | None = None, store: Dict[str, Any] | None = None, default: int | None = None) int [source]#
- get_param_as_int(name: str, required: bool = False, min_value: int | None = None, max_value: int | None = None, store: Dict[str, Any] | None = None, *, default: int) int
- get_param_as_int(name: str, required: bool = False, min_value: int | None = None, max_value: int | None = None, store: Dict[str, Any] | None = None, default: int | None = None) int | None
Return the value of a query string parameter as an int.
- Parameters:
name (str) – Parameter name, case-sensitive (e.g., ‘limit’).
- Keyword Arguments:
required (bool) – Set to
True
to raiseHTTPBadRequest
instead of returningNone
when the parameter is not found or is not an integer (defaultFalse
).min_value (int) – Set to the minimum value allowed for this param. If the param is found and it is less than min_value, an
HTTPError
is raised.max_value (int) – Set to the maximum value allowed for this param. If the param is found and its value is greater than max_value, an
HTTPError
is raised.store (dict) – A
dict
-like object in which to place the value of the param, but only if the param is found (defaultNone
).default (any) – If the param is not found returns the given value instead of
None
- Returns:
The value of the param if it is found and can be converted to an
int
. If the param is not found, returnsNone
, unless required isTrue
.- Return type:
- Raises
- HTTPBadRequest: The param was not found in the request, even though
it was required to be there, or it was found but could not be converted to an
int
. Also raised if the param’s value falls outside the given interval, i.e., the value must be in the interval: min_value <= value <= max_value to avoid triggering an error.
- get_param_as_json(name: str, required: bool = False, store: Dict[str, Any] | None = None, default: Any | None = None) Any [source]#
Return the decoded JSON value of a query string parameter.
Given a JSON value, decode it to an appropriate Python type, (e.g.,
dict
,list
,str
,int
,bool
, etc.)Warning
If the
auto_parse_qs_csv
option is set toTrue
(defaultFalse
), the framework will misinterpret any JSON values that include literal (non-percent-encoded) commas. If the query string may include JSON, you can use JSON array syntax in lieu of CSV as a workaround.- Parameters:
name (str) – Parameter name, case-sensitive (e.g., ‘payload’).
- Keyword Arguments:
required (bool) – Set to
True
to raiseHTTPBadRequest
instead of returningNone
when the parameter is not found (defaultFalse
).store (dict) – A
dict
-like object in which to place the value of the param, but only if the param is found (defaultNone
).default (any) – If the param is not found returns the given value instead of
None
- Returns:
The value of the param if it is found. Otherwise, returns
None
unless required isTrue
.- Return type:
- Raises:
HTTPBadRequest – A required param is missing from the request, or the value could not be parsed as JSON.
- get_param_as_list(name: str, transform: None = None, *, required: Literal[True], store: Dict[str, Any] | None = None, default: List[str] | None = None) List[str] [source]#
- get_param_as_list(name: str, transform: Callable[[str], _T], required: Literal[True], store: Dict[str, Any] | None = None, default: List[_T] | None = None) List[_T]
- get_param_as_list(name: str, transform: None = None, required: bool = False, store: Dict[str, Any] | None = None, *, default: List[str]) List[str]
- get_param_as_list(name: str, transform: Callable[[str], _T], required: bool = False, store: Dict[str, Any] | None = None, *, default: List[_T]) List[_T]
- get_param_as_list(name: str, transform: None = None, required: bool = False, store: Dict[str, Any] | None = None, default: List[str] | None = None) List[str] | None
- get_param_as_list(name: str, transform: Callable[[str], _T], required: bool = False, store: Dict[str, Any] | None = None, default: List[_T] | None = None) List[_T] | None
Return the value of a query string parameter as a list.
List items must be comma-separated or must be provided as multiple instances of the same param in the query string ala application/x-www-form-urlencoded.
Note
To enable the interpretation of comma-separated parameter values, the
auto_parse_qs_csv
option must be set toTrue
(defaultFalse
).- Parameters:
name (str) – Parameter name, case-sensitive (e.g., ‘ids’).
- Keyword Arguments:
transform (callable) – An optional transform function that takes as input each element in the list as a
str
and outputs a transformed element for inclusion in the list that will be returned. For example, passingint
will transform list items into numbers.required (bool) – Set to
True
to raiseHTTPBadRequest
instead of returningNone
when the parameter is not found (defaultFalse
).store (dict) – A
dict
-like object in which to place the value of the param, but only if the param is found (defaultNone
).default (any) – If the param is not found returns the given value instead of
None
- Returns:
The value of the param if it is found. Otherwise, returns
None
unless required isTrue
.Empty list elements will be included by default, but this behavior can be configured by setting the
keep_blank_qs_values
option. For example, by default the following query strings would both result in['1', '', '3']
:things=1&things=&things=3 things=1,,3
Note, however, that for the second example string above to be interpreted as a list, the
auto_parse_qs_csv
option must be set toTrue
.- Return type:
- Raises:
HTTPBadRequest – A required param is missing from the request, or a transform function raised an instance of
ValueError
.
- get_param_as_uuid(name: str, required: Literal[True], store: Dict[str, Any] | None = None, default: UUID | None = None) UUID [source]#
- get_param_as_uuid(name: str, required: bool = False, store: Dict[str, Any] | None = None, *, default: UUID) UUID
- get_param_as_uuid(name: str, required: bool = False, store: Dict[str, Any] | None = None, default: UUID | None = None) UUID | None
Return the value of a query string parameter as an UUID.
The value to convert must conform to the standard UUID string representation per RFC 4122. For example, the following strings are all valid:
# Lowercase '64be949b-3433-4d36-a4a8-9f19d352fee8' # Uppercase 'BE71ECAA-F719-4D42-87FD-32613C2EEB60' # Mixed '81c8155C-D6de-443B-9495-39Fa8FB239b5'
- Parameters:
name (str) – Parameter name, case-sensitive (e.g., ‘id’).
- Keyword Arguments:
required (bool) – Set to
True
to raiseHTTPBadRequest
instead of returningNone
when the parameter is not found or is not a UUID (defaultFalse
).store (dict) – A
dict
-like object in which to place the value of the param, but only if the param is found (defaultNone
).default (any) – If the param is not found returns the given value instead of
None
- Returns:
The value of the param if it is found and can be converted to a
UUID
. If the param is not found, returnsdefault
(defaultNone
), unless required isTrue
.- Return type:
UUID
- Raises
- HTTPBadRequest: The param was not found in the request, even though
it was required to be there, or it was found but could not be converted to a
UUID
.
- has_param(name: str) bool [source]#
Determine whether or not the query string parameter already exists.
- property headers: Mapping[str, str]#
Raw HTTP headers from the request with dash-separated names normalized to uppercase.
Note
This property differs from the ASGI version of
Request.headers
in that the latter returns lowercase names. Middleware, such as tracing and logging components, that need to be compatible with both WSGI and ASGI apps should useheaders_lower
instead.Warning
Parsing all the headers to create this dict is done the first time this attribute is accessed, and the returned object should be treated as read-only. Note that this parsing can be costly, so unless you need all the headers in this format, you should instead use the
get_header()
method or one of the convenience attributes to get a value for a specific header.
- property headers_lower: Mapping[str, str]#
Same as
headers
except header names are normalized to lowercase.Added in version 4.0.
- property if_match: List[ETag | Literal['*']] | None#
Value of the If-Match header, as a parsed list of
falcon.ETag
objects orNone
if the header is missing or its value is blank.This property provides a list of all
entity-tags
in the header, both strong and weak, in the same order as listed in the header.(See also: RFC 7232, Section 3.1)
- property if_modified_since: datetime | None#
Value of the If-Modified-Since header.
Returns
None
if the header is missing.Changed in version 4.0: This property now returns timezone-aware
datetime
objects (orNone
).
- property if_none_match: List[ETag | Literal['*']] | None#
Value of the If-None-Match header, as a parsed list of
falcon.ETag
objects orNone
if the header is missing or its value is blank.This property provides a list of all
entity-tags
in the header, both strong and weak, in the same order as listed in the header.(See also: RFC 7232, Section 3.2)
- property if_unmodified_since: datetime | None#
Value of the If-Unmodified-Since header.
Returns
None
if the header is missing.Changed in version 4.0: This property now returns timezone-aware
datetime
objects (orNone
).
- log_error(message: str) None [source]#
Write an error message to the server’s log.
Prepends timestamp and request info to message, and writes the result out to the WSGI server’s error stream (wsgi.error).
- Parameters:
message (str) – Description of the problem.
- property netloc: str#
port” portion of the request URL.
The port may be omitted if it is the default one for the URL’s schema (80 for HTTP and 443 for HTTPS).
- Type:
Returns the “host
- options: RequestOptions#
Set of global options passed from the App handler.
- property params: Mapping[str, str | List[str]]#
The mapping of request query parameter names to their values.
Where the parameter appears multiple times in the query string, the value mapped to that parameter key will be a list of all the values in the order seen.
- path: str#
Path portion of the request URI (not including query string).
Warning
If this attribute is to be used by the app for any upstream requests, any non URL-safe characters in the path must be URL encoded back before making the request.
Note
req.path
may be set to a new value by aprocess_request()
middleware method in order to influence routing. If the original request path was URL encoded, it will be decoded before being returned by this attribute.
- property port: int#
Port used for the request.
If the Host header is present in the request, but does not specify a port, the default one for the given schema is returned (80 for HTTP and 443 for HTTPS). If the request does not include a Host header, the listening port for the server is returned instead.
- property prefix: str#
The prefix of the request URI, including scheme, host, and app
root_path
(if any).
- property range: Tuple[int, int] | None#
A 2-member
tuple
parsed from the value of the Range header, orNone
if the header is missing.The two members correspond to the first and last byte positions of the requested resource, inclusive. Negative indices indicate offset from the end of the resource, where -1 is the last byte, -2 is the second-to-last byte, and so forth.
Only continuous ranges are supported (e.g., “bytes=0-0,-1” would result in an HTTPBadRequest exception when the attribute is accessed).
- property range_unit: str | None#
Unit of the range parsed from the value of the Range header.
Returns
None
if the header is missing.
- property relative_uri: str#
The path and query string portion of the request URI, omitting the scheme and host.
- property remote_addr: str#
IP address of the closest client or proxy to the WSGI server.
This property is determined by the value of
REMOTE_ADDR
in the WSGI environment dict. Since this address is not derived from an HTTP header, clients and proxies can not forge it.Note
If your application is behind one or more reverse proxies, you can use
access_route
to retrieve the real IP address of the client.
- property root_path: str#
The initial portion of the request URI’s path that corresponds to the application object, so that the application knows its virtual “location”. This may be an empty string, if the application corresponds to the “root” of the server.
(In WSGI it corresponds to the “SCRIPT_NAME” environ variable defined by PEP-3333; in ASGI it Corresponds to the “root_path”ASGI HTTP scope field.)
- property scheme: str#
URL scheme used for the request. Either ‘http’ or ‘https’.
Note
If the request was proxied, the scheme may not match what was originally requested by the client.
forwarded_scheme
can be used, instead, to handle such cases.
- stream: ReadableIO#
File-like input object for reading the body of the request, if any. This object provides direct access to the server’s data stream and is non-seekable. In order to avoid unintended side effects, and to provide maximum flexibility to the application, Falcon itself does not buffer or spool the data in any way.
Since this object is provided by the WSGI server itself, rather than by Falcon, it may behave differently depending on how you host your app. For example, attempting to read more bytes than are expected (as determined by the Content-Length header) may or may not block indefinitely. It’s a good idea to test your WSGI server to find out how it behaves.
This can be particularly problematic when a request body is expected, but none is given. In this case, the following call blocks under certain WSGI servers:
# Blocks if Content-Length is 0 data = req.stream.read()
The workaround is fairly straightforward, if verbose:
# If Content-Length happens to be 0, or the header is # missing altogether, this will not block. data = req.stream.read(req.content_length or 0)
Alternatively, when passing the stream directly to a consumer, it may be necessary to branch off the value of the Content-Length header:
if req.content_length: doc = json.load(req.stream)
For a slight performance cost, you may instead wish to use
bounded_stream
, which wraps the native WSGI input object to normalize its behavior.Note
If an HTML form is POSTed to the API using the application/x-www-form-urlencoded media type, and the
auto_parse_form_urlencoded
option is set, the framework will consume stream in order to parse the parameters and merge them into the query string parameters. In this case, the stream will be left at EOF.
- property subdomain: str | None#
Leftmost (i.e., most specific) subdomain from the hostname.
If only a single domain name is given, subdomain will be
None
.Note
If the hostname in the request is an IP address, the value for subdomain is undefined.
- uri_template: str | None#
The template for the route that was matched for this request. May be
None
if the request has not yet been routed, as would be the case forprocess_request()
middleware methods. May also beNone
if your app uses a custom routing engine and the engine does not provide the URI template when resolving a route.
- property url: str#
Alias for
Request.uri
.
- class falcon.Forwarded[source]#
Represents a parsed Forwarded header.
(See also: RFC 7239, Section 4)
- dest: str | None#
The value of the “by” parameter, or
None
if the parameter is absent.Identifies the client-facing interface of the proxy.
- host: str | None#
The value of the “host” parameter, or
None
if the parameter is absent.Provides the host request header field as received by the proxy.
- class falcon.stream.BoundedStream(stream: BinaryIO, stream_len: int)[source]#
Wrap wsgi.input streams to make them more robust.
socket._fileobject
andio.BufferedReader
are sometimes used to implement wsgi.input. However, app developers are often burned by the fact that the read() method for these objects block indefinitely if either no size is passed, or a size greater than the request’s content length is passed to the method.This class normalizes wsgi.input behavior between WSGI servers by implementing non-blocking behavior for the cases mentioned above. The caller is not allowed to read more than the number of bytes specified by the Content-Length header in the request.
- Parameters:
stream – Instance of
socket._fileobject
fromenviron['wsgi.input']
stream_len – Expected content length of the stream.
- exhaust(chunk_size: int = 65536) None [source]#
Exhaust the stream.
This consumes all the data left until the limit is reached.
- Parameters:
chunk_size (int) – The size for a chunk (default: 64 KB). It will read the chunk until the stream is exhausted.
Response#
- class falcon.Response(options: ResponseOptions | None = None)[source]#
Represents an HTTP response to a client request.
Note
Response
is not meant to be instantiated directly by responders.- Keyword Arguments:
options (ResponseOptions) – Set of global options passed from the App handler.
- property accept_ranges: str | None#
Set the Accept-Ranges header.
The Accept-Ranges header field indicates to the client which range units are supported (e.g. “bytes”) for the target resource.
If range requests are not supported for the target resource, the header may be set to “none” to advise the client not to attempt any such requests.
Note
“none” is the literal string, not Python’s built-in
None
type.
- append_header(name: str, value: str) None [source]#
Set or append a header for this response.
If the header already exists, the new value will normally be appended to it, delimited by a comma. The notable exception to this rule is Set-Cookie, in which case a separate header line for each value will be included in the response.
Note
While this method can be used to efficiently append raw Set-Cookie headers to the response, you may find
set_cookie()
to be more convenient.
- append_link(target: str, rel: str, title: str | None = None, title_star: Tuple[str, str] | None = None, anchor: str | None = None, hreflang: str | Iterable[str] | None = None, type_hint: str | None = None, crossorigin: str | None = None, link_extension: Iterable[Tuple[str, str]] | None = None) None [source]#
Append a link header to the response.
(See also: RFC 5988, Section 1)
Note
Calling this method repeatedly will cause each link to be appended to the Link header value, separated by commas.
- Parameters:
target (str) – Target IRI for the resource identified by the link. Will be converted to a URI, if necessary, per RFC 3987, Section 3.1.
rel (str) –
Relation type of the link, such as “next” or “bookmark”.
(See also: http://www.iana.org/assignments/link-relations/link-relations.xhtml)
- Keyword Arguments:
title (str) – Human-readable label for the destination of the link (default
None
). If the title includes non-ASCII characters, you will need to use title_star instead, or provide both a US-ASCII version using title and a Unicode version using title_star.title_star (tuple[str, str]) –
Localized title describing the destination of the link (default
None
). The value must be a two-member tuple in the form of (language-tag, text), where language-tag is a standard language identifier as defined in RFC 5646, Section 2.1, and text is a Unicode string.Note
language-tag may be an empty string, in which case the client will assume the language from the general context of the current request.
Note
text will always be encoded as UTF-8.
anchor (str) – Override the context IRI with a different URI (default None). By default, the context IRI for the link is simply the IRI of the requested resource. The value provided may be a relative URI.
hreflang (str or iterable) – Either a single language-tag, or a
list
ortuple
of such tags to provide a hint to the client as to the language of the result of following the link. A list of tags may be given in order to indicate to the client that the target resource is available in multiple languages.type_hint (str) – Provides a hint as to the media type of the result of dereferencing the link (default
None
). As noted in RFC 5988, this is only a hint and does not override the Content-Type header returned when the link is followed.crossorigin (str) – Determines how cross origin requests are handled. Can take values ‘anonymous’ or ‘use-credentials’ or None. (See: https://www.w3.org/TR/html50/infrastructure.html#cors-settings-attribute)
link_extension – Provides additional custom attributes, as described in RFC 8288, Section 3.4.2; each member of the iterable must be a two-tuple in the form of (param, value).
- property cache_control: str | None#
Set the Cache-Control header.
Used to set a list of cache directives to use as the value of the Cache-Control header. The list will be joined with “, “ to produce the value for the header.
- complete: bool = False#
Set to
True
from within a middleware method to signal to the framework that request processing should be short-circuited (see also Middleware).
- property content_length: str | None#
Set the Content-Length header.
This property can be used for responding to HEAD requests when you aren’t actually providing the response body, or when streaming the response. If either the text property or the data property is set on the response, the framework will force Content-Length to be the length of the given text bytes. Therefore, it is only necessary to manually set the content length when those properties are not used.
Note
In cases where the response content is a stream (readable file-like object), Falcon will not supply a Content-Length header to the server unless content_length is explicitly set. Consequently, the server may choose to use chunked encoding in this case.
- property content_location: str | None#
Set the Content-Location header.
This value will be URI encoded per RFC 3986. If the value that is being set is already URI encoded it should be decoded first or the header should be set manually using the set_header method.
- property content_range: str | None#
A tuple to use in constructing a value for the Content-Range header.
The tuple has the form (start, end, length, [unit]), where start and end designate the range (inclusive), and length is the total length, or ‘*’ if unknown. You may pass
int
’s for these numbers (no need to convert tostr
beforehand). The optional value unit describes the range unit and defaults to ‘bytes’Note
You only need to use the alternate form, ‘bytes */1234’, for responses that use the status ‘416 Range Not Satisfiable’. In this case, raising
falcon.HTTPRangeNotSatisfiable
will do the right thing.(See also: RFC 7233, Section 4.2)
- property content_type: str | None#
Sets the Content-Type header.
The
falcon
module provides a number of constants for common media types, includingfalcon.MEDIA_JSON
,falcon.MEDIA_MSGPACK
,falcon.MEDIA_YAML
,falcon.MEDIA_XML
,falcon.MEDIA_HTML
,falcon.MEDIA_JS
,falcon.MEDIA_TEXT
,falcon.MEDIA_JPEG
,falcon.MEDIA_PNG
, andfalcon.MEDIA_GIF
.
- context: structures.Context#
Empty object to hold any data (in its attributes) about the response which is specific to your app (e.g. session object). Falcon itself will not interact with this attribute after it has been initialized.
Note
The preferred way to pass response-specific data, when using the default context type, is to set attributes directly on the context object. For example:
resp.context.cache_strategy = 'lru'
- property data: bytes | None#
Byte string representing response content.
Use this attribute in lieu of text when your content is already a byte string (of type
bytes
). See also the note below.Warning
Always use the text attribute for text, or encode it first to
bytes
when using the data attribute, to ensure Unicode characters are properly encoded in the HTTP response.
- delete_header(name: str) None [source]#
Delete a header that was previously set for this response.
If the header was not previously set, nothing is done (no error is raised). Otherwise, all values set for the header will be removed from the response.
Note that calling this method is equivalent to setting the corresponding header property (when said property is available) to
None
. For example:resp.etag = None
Warning
This method cannot be used with the Set-Cookie header. Instead, use
unset_cookie()
to remove a cookie and ensure that the user agent expires its own copy of the data as well.- Parameters:
name (str) – Header name (case-insensitive). The name may contain only US-ASCII characters.
- Raises:
ValueError – name cannot be
'Set-Cookie'
.
- property downloadable_as: str | None#
Set the Content-Disposition header using the given filename.
The value will be used for the
filename
directive. For example, given'report.pdf'
, the Content-Disposition header would be set to:'attachment; filename="report.pdf"'
.As per RFC 6266 recommendations, non-ASCII filenames will be encoded using the
filename*
directive, whereasfilename
will contain the US ASCII fallback.
- property etag: str | None#
Set the ETag header.
The ETag header will be wrapped with double quotes
"value"
in case the user didn’t pass it.
- property expires: str | None#
Set the Expires header. Set to a
datetime
(UTC) instance.Note
Falcon will format the
datetime
as an HTTP date string.
- get_header(name: str, default: str) str [source]#
- get_header(name: str, default: str | None = None) str | None
Retrieve the raw string value for the given header.
Normally, when a header has multiple values, they will be returned as a single, comma-delimited string. However, the Set-Cookie header does not support this format, and so attempting to retrieve it will raise an error.
- Parameters:
name (str) – Header name, case-insensitive. Must be of type
str
orStringType
, and only character values 0x00 through 0xFF may be used on platforms that use wide characters.- Keyword Arguments:
default – Value to return if the header is not found (default
None
).- Raises:
ValueError – The value of the ‘Set-Cookie’ header(s) was requested.
- Returns:
The value of the specified header if set, or the default value if not set.
- Return type:
- property headers: Dict[str, str]#
Copy of all headers set for the response, without cookies.
Note that a new copy is created and returned each time this property is referenced.
- property last_modified: str | None#
Set the Last-Modified header. Set to a
datetime
(UTC) instance.Note
Falcon will format the
datetime
as an HTTP date string.
- property location: str | None#
Set the Location header.
This value will be URI encoded per RFC 3986. If the value that is being set is already URI encoded it should be decoded first or the header should be set manually using the set_header method.
- property media: Any#
A serializable object supported by the media handlers configured via
falcon.RequestOptions
.Note
See also Media for more information regarding media handling.
- options: ResponseOptions#
Set of global options passed in from the App handler.
- render_body() bytes | None [source]#
Get the raw bytestring content for the response body.
This method returns the raw data for the HTTP response body, taking into account the
text
,data
, andmedia
attributes.Note
This method ignores
stream
; the caller must check and handle that attribute directly.- Returns:
The UTF-8 encoded value of the text attribute, if set. Otherwise, the value of the data attribute if set, or finally the serialized value of the media attribute. If none of these attributes are set,
None
is returned.- Return type:
- property retry_after: str | None#
Set the Retry-After header.
The expected value is an integral number of seconds to use as the value for the header. The HTTP-date syntax is not supported.
- set_cookie(name: str, value: str, expires: datetime | None = None, max_age: int | None = None, domain: str | None = None, path: str | None = None, secure: bool | None = None, http_only: bool = True, same_site: str | None = None, partitioned: bool = False) None [source]#
Set a response cookie.
Note
This method can be called multiple times to add one or more cookies to the response.
See also
To learn more about setting cookies, see Setting Cookies. The parameters listed below correspond to those defined in RFC 6265.
- Parameters:
- Keyword Arguments:
expires (datetime) –
Specifies when the cookie should expire. By default, cookies expire when the user agent exits.
(See also: RFC 6265, Section 4.1.2.1)
max_age (int) –
Defines the lifetime of the cookie in seconds. By default, cookies expire when the user agent exits. If both max_age and expires are set, the latter is ignored by the user agent.
Note
Coercion to
int
is attempted if provided withfloat
orstr
.(See also: RFC 6265, Section 4.1.2.2)
domain (str) –
Restricts the cookie to a specific domain and any subdomains of that domain. By default, the user agent will return the cookie only to the origin server. When overriding this default behavior, the specified domain must include the origin server. Otherwise, the user agent will reject the cookie.
Note
Cookies do not provide isolation by port, so the domain should not provide one. (See also: RFC 6265, Section 8.5)
(See also: RFC 6265, Section 4.1.2.3)
path (str) –
Scopes the cookie to the given path plus any subdirectories under that path (the “/” character is interpreted as a directory separator). If the cookie does not specify a path, the user agent defaults to the path component of the requested URI.
Warning
User agent interfaces do not always isolate cookies by path, and so this should not be considered an effective security measure.
(See also: RFC 6265, Section 4.1.2.4)
secure (bool) –
Direct the client to only return the cookie in subsequent requests if they are made over HTTPS (default:
True
). This prevents attackers from reading sensitive cookie data.Note
The default value for this argument is normally
True
, but can be modified by settingsecure_cookies_by_default
viaApp.resp_options
.Warning
For the secure cookie attribute to be effective, your application will need to enforce HTTPS.
(See also: RFC 6265, Section 4.1.2.5)
http_only (bool) –
The HttpOnly attribute limits the scope of the cookie to HTTP requests. In particular, the attribute instructs the user agent to omit the cookie when providing access to cookies via “non-HTTP” APIs. This is intended to mitigate some forms of cross-site scripting. (default:
True
)Note
HttpOnly cookies are not visible to javascript scripts in the browser. They are automatically sent to the server on javascript
XMLHttpRequest
orFetch
requests.(See also: RFC 6265, Section 4.1.2.6)
same_site (str) –
Helps protect against CSRF attacks by restricting when a cookie will be attached to the request by the user agent. When set to
'Strict'
, the cookie will only be sent along with “same-site” requests. If the value is'Lax'
, the cookie will be sent with same-site requests, and with “cross-site” top-level navigations. If the value is'None'
, the cookie will be sent with same-site and cross-site requests. Finally, when this attribute is not set on the cookie, the attribute will be treated as if it had been set to'None'
.(See also: Same-Site RFC Draft)
partitioned (bool) –
Prevents cookies from being accessed from other subdomains. With partitioned enabled, a cookie set by https://3rd-party.example which is embedded inside https://site-a.example can no longer be accessed by https://site-b.example. While this attribute is not yet standardized, it is already used by Chrome.
(See also: CHIPS)
Added in version 4.0.
- Raises:
KeyError – name is not a valid cookie name.
ValueError – value is not a valid cookie value.
- set_header(name: str, value: str) None [source]#
Set a header for this response to a given value.
Warning
Calling this method overwrites any values already set for this header. To append an additional value for this header, use
append_header()
instead.Warning
This method cannot be used to set cookies; instead, use
append_header()
orset_cookie()
.- Parameters:
- Raises:
ValueError – name cannot be
'Set-Cookie'
.
- set_headers(headers: Mapping[str, str] | Iterable[Tuple[str, str]]) None [source]#
Set several headers at once.
This method can be used to set a collection of raw header names and values all at once.
Warning
Calling this method overwrites any existing values for the given header. If a list containing multiple instances of the same header is provided, only the last value will be used. To add multiple values to the response for a given header, see
append_header()
.Warning
This method cannot be used to set cookies; instead, use
append_header()
orset_cookie()
.- Parameters:
headers (Iterable[[str, str]]) –
An iterable of
[name, value]
two-member iterables, or a dict-like object that implements anitems()
method. Both name and value must be of typestr
and contain only US-ASCII characters.Note
Falcon can process an iterable of tuples slightly faster than a dict.
- Raises:
ValueError – headers was not a
dict
orlist
oftuple
orIterable[[str, str]]
.
- set_stream(stream: ReadableIO | Iterable[bytes], content_length: int) None [source]#
Set both stream and content_length.
Although the
stream
andcontent_length
properties may be set directly, using this method ensurescontent_length
is not accidentally neglected when the length of the stream is known in advance. Using this method is also slightly more performant as compared to setting the properties individually.Note
If the stream length is unknown, you can set
stream
directly, and ignorecontent_length
. In this case, the ASGI server may choose to use chunked encoding or one of the other strategies suggested by PEP-3333.- Parameters:
stream – A readable file-like object.
content_length (int) – Length of the stream, used for the Content-Length header in the response.
- status: str | int | http.HTTPStatus#
HTTP status code or line (e.g.,
'200 OK'
).This may be set to a member of
http.HTTPStatus
, an HTTP status line string (e.g.,'200 OK'
), or anint
.Note
The Falcon framework itself provides a number of constants for common status codes. They all start with the
HTTP_
prefix, as in:falcon.HTTP_204
. (See also: Status Codes.)
- property status_code: int#
HTTP status code normalized from
status
.When a code is assigned to this property,
status
is updated, and vice-versa. The status code can be useful when needing to check in middleware for codes that fall into a certain class, e.g.:if resp.status_code >= 400: log.warning(f'returning error response: {resp.status_code}')
- stream: ReadableIO | Iterable[bytes] | None#
Either a file-like object with a read() method that takes an optional size argument and returns a block of bytes, or an iterable object, representing response content, and yielding blocks as byte strings. Falcon will use wsgi.file_wrapper, if provided by the WSGI server, in order to efficiently serve file-like objects.
Note
If the stream is set to an iterable object that requires resource cleanup, it can implement a close() method to do so. The close() method will be called upon completion of the request.
- text: str | None#
String representing response content.
Note
Falcon will encode the given text as UTF-8 in the response. If the content is already a byte string, use the
data
attribute instead (it’s faster).
- unset_cookie(name: str, samesite: str = 'Lax', domain: str | None = None, path: str | None = None) None [source]#
Unset a cookie in the response.
Clears the contents of the cookie, and instructs the user agent to immediately expire its own copy of the cookie.
Note
Modern browsers place restriction on cookies without the “same-site” cookie attribute set. To that end this attribute is set to
'Lax'
by this method.(See also: Same-Site warnings)
Warning
In order to successfully remove a cookie, both the path and the domain must match the values that were used when the cookie was created.
- Parameters:
name (str) – Cookie name
- Keyword Arguments:
samesite (str) –
Allows to override the default ‘Lax’ same_site setting for the unset cookie.
Added in version 4.0.
domain (str) –
Restricts the cookie to a specific domain and any subdomains of that domain. By default, the user agent will return the cookie only to the origin server. When overriding this default behavior, the specified domain must include the origin server. Otherwise, the user agent will reject the cookie.
Note
Cookies do not provide isolation by port, so the domain should not provide one. (See also: RFC 6265, Section 8.5)
(See also: RFC 6265, Section 4.1.2.3)
path (str) –
Scopes the cookie to the given path plus any subdirectories under that path (the “/” character is interpreted as a directory separator). If the cookie does not specify a path, the user agent defaults to the path component of the requested URI.
Warning
User agent interfaces do not always isolate cookies by path, and so this should not be considered an effective security measure.
(See also: RFC 6265, Section 4.1.2.4)
- property vary: str | None#
Value to use for the Vary header.
Set this property to an iterable of header names. For a single asterisk or field value, simply pass a single-element
list
ortuple
.The “Vary” header field in a response describes what parts of a request message, aside from the method, Host header field, and request target, might influence the origin server’s process for selecting and representing this response. The value consists of either a single asterisk (“*”) or a list of header field names (case-insensitive).
(See also: RFC 7231, Section 7.1.4)
- property viewable_as: str | None#
Set an inline Content-Disposition header using the given filename.
The value will be used for the
filename
directive. For example, given'report.pdf'
, the Content-Disposition header would be set to:'inline; filename="report.pdf"'
.As per RFC 6266 recommendations, non-ASCII filenames will be encoded using the
filename*
directive, whereasfilename
will contain the US ASCII fallback.Added in version 3.1.