On this page
HTTP Utilities
Werkzeug provides a couple of functions to parse and generate HTTP headers that are useful when implementing WSGI middlewares or whenever you are operating on a lower level layer. All this functionality is also exposed from request and response objects.
Datetime Functions
These functions simplify working with times in an HTTP context. Werkzeug produces timezone-aware datetime
objects in UTC. When passing datetime objects to Werkzeug, it assumes any naive datetime is in UTC.
When comparing datetime values from Werkzeug, your own datetime objects must also be timezone-aware, or you must make the values from Werkzeug naive.
dt = datetime.now(timezone.utc)
gets the current time in UTC.dt = datetime(..., tzinfo=timezone.utc)
creates a time in UTC.dt = dt.replace(tzinfo=timezone.utc)
makes a naive object aware by assuming it’s in UTC.dt = dt.replace(tzinfo=None)
makes an aware object naive.
werkzeug.http.parse_date(value)
-
Parse an RFC 2822 date into a timezone-aware
datetime.datetime
object, orNone
if parsing fails.This is a wrapper for
email.utils.parsedate_to_datetime()
. It returnsNone
if parsing fails instead of raising an exception, and always returns a timezone-aware datetime object. If the string doesn’t have timezone information, it is assumed to be UTC.Changelog
Changed in version 2.0: Return a timezone-aware datetime object. Use
email.utils.parsedate_to_datetime
.
werkzeug.http.http_date(timestamp=None)
-
Format a datetime object or timestamp into an RFC 2822 date string.
This is a wrapper for
email.utils.format_datetime()
. It assumes naive datetime objects are in UTC instead of raising an exception.- Parameters
-
timestamp (Optional[Union[datetime.datetime, datetime.date, int, float, time.struct_time]]) – The datetime or timestamp to format. Defaults to the current time.
- Return type
Changelog
Changed in version 2.0: Use
email.utils.format_datetime
. Acceptdate
objects.
Header Parsing
The following functions can be used to parse incoming HTTP headers. Because Python does not provide data structures with the semantics required by RFC 2616, Werkzeug implements some custom data structures that are documented separately.
werkzeug.http.parse_options_header(value, multiple=None)
-
Parse a
Content-Type
-like header into a tuple with the value and any options:>>> parse_options_header('text/html; charset=utf8') ('text/html', {'charset': 'utf8'})
This should is not for
Cache-Control
-like headers, which use a different format. For those, useparse_dict_header()
.- Parameters
- Return type
Changed in version 2.1: The
multiple
parameter is deprecated and will be removed in Werkzeug 2.2.Changelog
Changed in version 0.15: RFC 2231 parameter continuations are handled.
New in version 0.5.
werkzeug.http.parse_set_header(value, on_update=None)
-
Parse a set-like header and return a
HeaderSet
object:>>> hs = parse_set_header('token, "quoted value"')
The return value is an object that treats the items case-insensitively and keeps the order of the items:
>>> 'TOKEN' in hs True >>> hs.index('quoted value') 1 >>> hs HeaderSet(['token', 'quoted value'])
To create a header from the
HeaderSet
again, use thedump_header()
function.- Parameters
- Returns
- Return type
werkzeug.http.parse_list_header(value)
-
Parse lists as described by RFC 2068 Section 2.
In particular, parse comma-separated lists where the elements of the list may include quoted-strings. A quoted-string could contain a comma. A non-quoted string could have quotes in the middle. Quotes are removed automatically after parsing.
It basically works like
parse_set_header()
just that items may appear multiple times and case sensitivity is preserved.The return value is a standard
list
:>>> parse_list_header('token, "quoted value"') ['token', 'quoted value']
To create a header from the
list
again, use thedump_header()
function.
werkzeug.http.parse_dict_header(value, cls=<class 'dict'>)
-
Parse lists of key, value pairs as described by RFC 2068 Section 2 and convert them into a python dict (or any other mapping object created from the type with a dict like interface provided by the
cls
argument):>>> d = parse_dict_header('foo="is a fish", bar="as well"') >>> type(d) is dict True >>> sorted(d.items()) [('bar', 'as well'), ('foo', 'is a fish')]
If there is no value for a key it will be
None
:>>> parse_dict_header('key_without_value') {'key_without_value': None}
To create a header from the
dict
again, use thedump_header()
function.Changelog
Changed in version 0.9: Added support for
cls
argument.
werkzeug.http.parse_accept_header(value[, class])
-
Parses an HTTP Accept-* header. This does not implement a complete valid algorithm but one that supports at least value and quality extraction.
Returns a new
Accept
object (basically a list of(value, quality)
tuples sorted by the quality with some additional accessor methods).The second parameter can be a subclass of
Accept
that is created with the parsed values and returned.
werkzeug.http.parse_cache_control_header(value, on_update=None, cls=None)
-
Parse a cache control header. The RFC differs between response and request cache control, this method does not. It’s your responsibility to not use the wrong control statements.
Changelog
New in version 0.5: The
cls
was added. If not specified an immutableRequestCacheControl
is returned.- Parameters
-
- value (Optional[str]) – a cache control header to be parsed.
- on_update (Optional[Callable[[werkzeug.http._TAnyCC], None]]) – an optional callable that is called every time a value on the
CacheControl
object is changed. - cls (Optional[Type[werkzeug.http._TAnyCC]]) – the class for the returned object. By default
RequestCacheControl
is used.
- Returns
-
a
cls
object. - Return type
-
werkzeug.http._TAnyCC
werkzeug.http.parse_authorization_header(value)
-
Parse an HTTP basic/digest authorization header transmitted by the web browser. The return value is either
None
if the header was invalid or not given, otherwise anAuthorization
object.- Parameters
- Returns
-
a
Authorization
object orNone
. - Return type
werkzeug.http.parse_www_authenticate_header(value, on_update=None)
-
Parse an HTTP WWW-Authenticate header into a
WWWAuthenticate
object.- Parameters
-
- value (Optional[str]) – a WWW-Authenticate header to parse.
- on_update (Optional[Callable[[werkzeug.datastructures.WWWAuthenticate], None]]) – an optional callable that is called every time a value on the
WWWAuthenticate
object is changed.
- Returns
-
a
WWWAuthenticate
object. - Return type
werkzeug.http.parse_if_range_header(value)
-
Parses an if-range header which can be an etag or a date. Returns a
IfRange
object.Changelog
Changed in version 2.0: If the value represents a datetime, it is timezone-aware.
New in version 0.7.
- Parameters
- Return type
werkzeug.http.parse_range_header(value, make_inclusive=True)
-
Parses a range header into a
Range
object. If the header is missing or malformedNone
is returned.ranges
is a list of(start, stop)
tuples where the ranges are non-inclusive.Changelog
New in version 0.7.
- Parameters
- Return type
werkzeug.http.parse_content_range_header(value, on_update=None)
-
Parses a range header into a
ContentRange
object orNone
if parsing is not possible.Changelog
New in version 0.7.
- Parameters
-
- value (Optional[str]) – a content range header to be parsed.
- on_update (Optional[Callable[[werkzeug.datastructures.ContentRange], None]]) – an optional callable that is called every time a value on the
ContentRange
object is changed.
- Return type
Header Utilities
The following utilities operate on HTTP headers well but do not parse them. They are useful if you’re dealing with conditional responses or if you want to proxy arbitrary requests but want to remove WSGI-unsupported hop-by-hop headers. Also there is a function to create HTTP header strings from the parsed data.
werkzeug.http.is_entity_header(header)
-
Check if a header is an entity header.
Changelog
New in version 0.5.
werkzeug.http.is_hop_by_hop_header(header)
-
Check if a header is an HTTP/1.1 “Hop-by-Hop” header.
Changelog
New in version 0.5.
werkzeug.http.remove_entity_headers(headers, allowed=('expires', 'content-location'))
-
Remove all entity headers from a list or
Headers
object. This operation works in-place.Expires
andContent-Location
headers are by default not removed. The reason for this is RFC 2616 section 10.3.5 which specifies some entity headers that should be sent.Changelog
Changed in version 0.5: added
allowed
parameter.
werkzeug.http.remove_hop_by_hop_headers(headers)
-
Remove all HTTP/1.1 “Hop-by-Hop” headers from a list or
Headers
object. This operation works in-place.Changelog
New in version 0.5.
werkzeug.http.is_byte_range_valid(start, stop, length)
-
Checks if a given byte content range is valid for the given length.
Changelog
New in version 0.7.
werkzeug.http.quote_header_value(value, extra_chars='', allow_token=True)
-
Quote a header value if necessary.
Changelog
New in version 0.5.
werkzeug.http.unquote_header_value(value, is_filename=False)
-
Unquotes a header value. (Reversal of
quote_header_value()
). This does not use the real unquoting but what browsers are actually using for quoting.Changelog
New in version 0.5.
werkzeug.http.dump_header(iterable, allow_token=True)
-
Dump an HTTP header again. This is the reversal of
parse_list_header()
,parse_set_header()
andparse_dict_header()
. This also quotes strings that include an equals sign unless you pass it as dict of key, value pairs.>>> dump_header({'foo': 'bar baz'}) 'foo="bar baz"' >>> dump_header(('foo', 'bar baz')) 'foo, "bar baz"'
Conditional Response Helpers
For conditional responses the following functions might be useful:
werkzeug.http.parse_etags(value)
-
Parse an etag header.
- Parameters
- Returns
-
an
ETags
object. - Return type
werkzeug.http.quote_etag(etag, weak=False)
-
Quote an etag.
werkzeug.http.unquote_etag(etag)
-
Unquote a single etag:
>>> unquote_etag('W/"bar"') ('bar', True) >>> unquote_etag('"bar"') ('bar', False)
werkzeug.http.generate_etag(data)
-
Generate an etag for some data.
Changelog
Changed in version 2.0: Use SHA-1. MD5 may not be available in some environments.
werkzeug.http.is_resource_modified(environ, etag=None, data=None, last_modified=None, ignore_if_range=True)
-
Convenience method for conditional requests.
- Parameters
-
- environ (WSGIEnvironment) – the WSGI environment of the request to be checked.
- etag (Optional[str]) – the etag for the response for comparison.
- data (Optional[bytes]) – or alternatively the data of the response to automatically generate an etag using
generate_etag()
. - last_modified (Optional[Union[datetime.datetime, str]]) – an optional date of the last modification.
- ignore_if_range (bool) – If
False
,If-Range
header will be taken into account.
- Returns
-
True
if the resource was modified, otherwiseFalse
. - Return type
Changelog
Changed in version 2.0: SHA-1 is used to generate an etag value for the data. MD5 may not be available in some environments.
Changed in version 1.0.0: The check is run for methods other than
GET
andHEAD
.
Constants
werkzeug.http.HTTP_STATUS_CODES
-
A dict of status code -> default status message pairs. This is used by the wrappers and other places where an integer status code is expanded to a string throughout Werkzeug.
Form Data Parsing
Werkzeug provides the form parsing functions separately from the request object so that you can access form data from a plain WSGI environment.
The following formats are currently supported by the form data parser:
application/x-www-form-urlencoded
multipart/form-data
Nested multipart is not currently supported (Werkzeug 0.9), but it isn’t used by any of the modern web browsers.
Usage example:
>>> from io import BytesIO
>>> from werkzeug.formparser import parse_form_data
>>> data = (
... b'--foo\r\nContent-Disposition: form-data; name="test"\r\n'
... b"\r\nHello World!\r\n--foo--"
... )
>>> environ = {
... "wsgi.input": BytesIO(data),
... "CONTENT_LENGTH": str(len(data)),
... "CONTENT_TYPE": "multipart/form-data; boundary=foo",
... "REQUEST_METHOD": "POST",
... }
>>> stream, form, files = parse_form_data(environ)
>>> stream.read()
b''
>>> form['test']
'Hello World!'
>>> not files
True
Normally the WSGI environment is provided by the WSGI gateway with the incoming data as part of it. If you want to generate such fake-WSGI environments for unittesting you might want to use the create_environ()
function or the EnvironBuilder
instead.
class werkzeug.formparser.FormDataParser(stream_factory=None, charset='utf-8', errors='replace', max_form_memory_size=None, max_content_length=None, cls=None, silent=True)
-
This class implements parsing of form data for Werkzeug. By itself it can parse multipart and url encoded form data. It can be subclassed and extended but for most mimetypes it is a better idea to use the untouched stream and expose it as separate attributes on a request object.
Changelog
New in version 0.8.
- Parameters
-
- stream_factory (Optional[TStreamFactory]) – An optional callable that returns a new read and writeable file descriptor. This callable works the same as
Response._get_file_stream()
. - charset (str) – The character set for URL and url encoded form data.
- errors (str) – The encoding error behavior.
- max_form_memory_size (Optional[int]) – the maximum number of bytes to be accepted for in-memory stored form data. If the data exceeds the value specified an
RequestEntityTooLarge
exception is raised. - max_content_length (Optional[int]) – If this is provided and the transmitted data is longer than this value an
RequestEntityTooLarge
exception is raised. - cls (Optional[Type[werkzeug.datastructures.MultiDict]]) – an optional dict class to use. If this is not specified or
None
the defaultMultiDict
is used. - silent (bool) – If set to False parsing errors will not be caught.
- stream_factory (Optional[TStreamFactory]) – An optional callable that returns a new read and writeable file descriptor. This callable works the same as
- Return type
-
None
werkzeug.formparser.parse_form_data(environ, stream_factory=None, charset='utf-8', errors='replace', max_form_memory_size=None, max_content_length=None, cls=None, silent=True)
-
Parse the form data in the environ and return it as tuple in the form
(stream, form, files)
. You should only call this method if the transport method isPOST
,PUT
, orPATCH
.If the mimetype of the data transmitted is
multipart/form-data
the files multidict will be filled withFileStorage
objects. If the mimetype is unknown the input stream is wrapped and returned as first argument, else the stream is empty.This is a shortcut for the common usage of
FormDataParser
.Have a look at Dealing with Request Data for more details.
Changelog
New in version 0.5.1: The optional
silent
flag was added.New in version 0.5: The
max_form_memory_size
,max_content_length
andcls
parameters were added.- Parameters
-
- environ (WSGIEnvironment) – the WSGI environment to be used for parsing.
- stream_factory (Optional[TStreamFactory]) – An optional callable that returns a new read and writeable file descriptor. This callable works the same as
Response._get_file_stream()
. - charset (str) – The character set for URL and url encoded form data.
- errors (str) – The encoding error behavior.
- max_form_memory_size (Optional[int]) – the maximum number of bytes to be accepted for in-memory stored form data. If the data exceeds the value specified an
RequestEntityTooLarge
exception is raised. - max_content_length (Optional[int]) – If this is provided and the transmitted data is longer than this value an
RequestEntityTooLarge
exception is raised. - cls (Optional[Type[werkzeug.datastructures.MultiDict]]) – an optional dict class to use. If this is not specified or
None
the defaultMultiDict
is used. - silent (bool) – If set to False parsing errors will not be caught.
- Returns
-
A tuple in the form
(stream, form, files)
. - Return type
-
t_parse_result
© 2007–2022 Pallets
Licensed under the BSD 3-clause License.
https://werkzeug.palletsprojects.com/en/2.1.x/http/