codeigniter4 · paulbalandan · Apr 18, 2026 · Apr 18, 2026
diff --git a/system/HTTP/Response.php b/system/HTTP/Response.php
@@ -14,9 +14,7 @@
 namespace CodeIgniter\HTTP;
 
 use CodeIgniter\Cookie\Cookie;
-use CodeIgniter\Cookie\CookieStore;
 use CodeIgniter\HTTP\Exceptions\HTTPException;
-use Config\Cookie as CookieConfig;
 
 /**
  * Representation of an outgoing, server-side response.
@@ -38,7 +36,7 @@ class Response extends Message implements ResponseInterface
     /**
      * HTTP status codes
      *
-     * @var array
+     * @var array<int, string>
      */
     protected static $statusCodes = [
         // 1xx: Informational
@@ -140,23 +138,14 @@ class Response extends Message implements ResponseInterface
      */
     protected $pretend = false;
 
+    /**
+     * Construct a non-caching response with a default content type of `text/html`.
+     */
     public function __construct()
     {
-        // Default to a non-caching page.
-        // Also ensures that a Cache-control header exists.
-        $this->noCache();
-
-        // We need CSP object even if not enabled to avoid calls to non existing methods
-        $this->CSP = service('csp');
-
-        $this->cookieStore = new CookieStore([]);
-
-        $cookie = config(CookieConfig::class);
-
-        Cookie::setDefaults($cookie);
+        Cookie::setDefaults(config('Cookie'));
 
-        // Default to an HTML Content-Type. Devs can override if needed.
-        $this->setContentType('text/html');
+        $this->noCache()->setContentType('text/html');
     }
 
     /**
@@ -168,7 +157,6 @@ public function __construct()
      * @return $this
      *
      * @internal For testing purposes only.
-     * @testTag only available to test code
      */
     public function pretend(bool $pretend = true)
     {

diff --git a/system/HTTP/ResponseTrait.php b/system/HTTP/ResponseTrait.php
@@ -13,6 +13,7 @@
 
 namespace CodeIgniter\HTTP;
 
+use CodeIgniter\Config\Services;
 use CodeIgniter\Cookie\Cookie;
 use CodeIgniter\Cookie\CookieStore;
 use CodeIgniter\Cookie\Exceptions\CookieException;
@@ -21,6 +22,8 @@
 use CodeIgniter\I18n\Time;
 use CodeIgniter\Pager\PagerInterface;
 use CodeIgniter\Security\Exceptions\SecurityException;
+use Config\App;
+use Config\ContentSecurityPolicy as ContentSecurityPolicyConfig;
 use Config\Cookie as CookieConfig;
 use DateTime;
 use DateTimeZone;
@@ -31,21 +34,30 @@
  * Additional methods to make a PSR-7 Response class
  * compliant with the framework's own ResponseInterface.
  *
+ * @property array<int, string> $statusCodes
+ * @property string|null        $body
+ *
  * @see https://github.com/php-fig/http-message/blob/master/src/ResponseInterface.php
  */
 trait ResponseTrait
 {
     /**
-     * Content security policy handler
+     * Content security policy handler.
+     *
+     * Lazily instantiated on first use via `self::getCSP()` so that the
+     * ContentSecurityPolicy class is not loaded on requests that do not use CSP.
      *
-     * @var ContentSecurityPolicy
+     * @var ContentSecurityPolicy|null
      */
     protected $CSP;
 
     /**
      * CookieStore instance.
      *
-     * @var CookieStore
+     * Lazily instantiated on first cookie-related call so that the Cookie and
+     * CookieStore classes are not loaded on requests that do not use cookies.
+     *
+     * @var CookieStore|null
      */
     protected $cookieStore;
 
@@ -77,19 +89,17 @@ trait ResponseTrait
      */
     public function setStatusCode(int $code, string $reason = '')
     {
-        // Valid range?
         if ($code < 100 || $code > 599) {
             throw HTTPException::forInvalidStatusCode($code);
         }
 
-        // Unknown and no message?
-        if (! array_key_exists($code, static::$statusCodes) && ($reason === '')) {
+        if (! array_key_exists($code, static::$statusCodes) && $reason === '') {
             throw HTTPException::forUnkownStatusCode($code);
         }
 
         $this->statusCode = $code;
 
-        $this->reason = ($reason !== '') ? $reason : static::$statusCodes[$code];
+        $this->reason = $reason !== '' ? $reason : static::$statusCodes[$code];
 
         return $this;
     }
@@ -366,8 +376,10 @@ public function setLastModified($date)
     public function send()
     {
         // If we're enforcing a Content Security Policy,
-        // we need to give it a chance to build out it's headers.
-        $this->CSP->finalize($this);
+        // we need to give it a chance to build out its headers.
+        if ($this->shouldFinalizeCsp()) {
+            $this->getCSP()->finalize($this);
+        }
 
         $this->sendHeaders();
         $this->sendCookies();
@@ -376,6 +388,44 @@ public function send()
         return $this;
     }
 
+    /**
+     * Decides whether {@see ContentSecurityPolicy::finalize()} should run for
+     * this response. Keeping the CSP class unloaded on requests that do not
+     * need it avoids the cost of constructing a 1000+ line service on every
+     * request.
+     */
+    private function shouldFinalizeCsp(): bool
+    {
+        // Developer already touched CSP through getCSP(); respect it.
+        if ($this->CSP !== null) {
+            return true;
+        }
+
+        // A CSP instance has been registered (e.g., via Services::injectMock()
+        // or any earlier service('csp') call) — reuse it instead of skipping.
+        if (Services::has('csp')) {
+            return true;
+        }
+
+        if (config(App::class)->CSPEnabled) {
+            return true;
+        }
+
+        // Placeholders in the body still need to be stripped even when CSP
+        // is disabled, so the body is scanned for the configured nonce tags
+        // before committing to loading the full CSP class.
+        $body = (string) $this->body;
+
+        if ($body === '') {
+            return false;
+        }
+
+        $cspConfig = config(ContentSecurityPolicyConfig::class);
+
+        return str_contains($body, $cspConfig->scriptNonceTag)
+            || str_contains($body, $cspConfig->styleNonceTag);
+    }
+
     /**
      * Sends the headers of this HTTP response to the browser.
      *
@@ -518,8 +568,10 @@ public function setCookie(
         $httponly = null,
         $samesite = null,
     ) {
+        $store = $this->getCookieStore();
+
         if ($name instanceof Cookie) {
-            $this->cookieStore = $this->cookieStore->put($name);
+            $this->cookieStore = $store->put($name);
 
             return $this;
         }
@@ -553,18 +605,23 @@ public function setCookie(
             'samesite' => $samesite ?? '',
         ]);
 
-        $this->cookieStore = $this->cookieStore->put($cookie);
+        $this->cookieStore = $store->put($cookie);
 
         return $this;
     }
 
     /**
      * Returns the `CookieStore` instance.
      *
+     * Lazily instantiates the `CookieStore` on first call, so that the Cookie and
+     * CookieStore classes are not loaded on requests that do not use cookies.
+     *
      * @return CookieStore
      */
     public function getCookieStore()
     {
+        $this->cookieStore ??= new CookieStore([]);
+
         return $this->cookieStore;
     }
 
@@ -573,9 +630,10 @@ public function getCookieStore()
      */
     public function hasCookie(string $name, ?string $value = null, string $prefix = ''): bool
     {
+        $store  = $this->getCookieStore();
         $prefix = $prefix !== '' ? $prefix : Cookie::setDefaults()['prefix']; // to retain BC
 
-        return $this->cookieStore->has($name, $prefix, $value);
+        return $store->has($name, $prefix, $value);
     }
 
     /**
@@ -588,14 +646,16 @@ public function hasCookie(string $name, ?string $value = null, string $prefix =
      */
     public function getCookie(?string $name = null, string $prefix = '')
     {
+        $store = $this->getCookieStore();
+
         if ((string) $name === '') {
-            return $this->cookieStore->display();
+            return $store->display();
         }
 
         try {
             $prefix = $prefix !== '' ? $prefix : Cookie::setDefaults()['prefix']; // to retain BC
 
-            return $this->cookieStore->get($name, $prefix);
+            return $store->get($name, $prefix);
         } catch (CookieException $e) {
             log_message('error', (string) $e);
 
@@ -614,10 +674,10 @@ public function deleteCookie(string $name = '', string $domain = '', string $pat
             return $this;
         }
 
+        $store  = $this->getCookieStore();
         $prefix = $prefix !== '' ? $prefix : Cookie::setDefaults()['prefix']; // to retain BC
 
         $prefixed = $prefix . $name;
-        $store    = $this->cookieStore;
         $found    = false;
 
         /** @var Cookie $cookie */
@@ -653,6 +713,10 @@ public function deleteCookie(string $name = '', string $domain = '', string $pat
      */
     public function getCookies()
     {
+        if ($this->cookieStore === null) {
+            return [];
+        }
+
         return $this->cookieStore->display();
     }
 
@@ -663,7 +727,7 @@ public function getCookies()
      */
     protected function sendCookies()
     {
-        if ($this->pretend) {
+        if ($this->pretend || $this->cookieStore === null) {
             return;
         }
 
@@ -753,6 +817,8 @@ public function download(string $filename = '', $data = '', bool $setMime = fals
 
     public function getCSP(): ContentSecurityPolicy
     {
+        $this->CSP ??= service('csp');
+
         return $this->CSP;
     }
 }