DWScript excels in web environments (CGI or via DWSWebServer), providing native objects to handle HTTP requests and responses.
The WebRequest object contains client data, while WebResponse allows you to control headers and content types.
var userAgent := WebRequest.UserAgent;
if userAgent <> '' then PrintLn('Browser info found');
WebResponse.ContentType := 'text/plain';Browser info found
DWScript provides several shortcut methods to set the status code and content in a single call.
These methods automatically set the appropriate ContentType and the response body.
// Send a JSON object
var data := JSON.Serialize(record
status := 'ok';
count := 42;
end);
WebResponse.SetContentJSON(data);
// Send plain text with a specific status
WebResponse.SetStatusPlainText(201, 'Resource Created');
// Send a raw JSON string with a status
WebResponse.SetStatusJSON(400, '{"error": "Invalid request"}');Redirecting the client is handled by SetStatusRedirect.
// Temporary redirect (302)
WebResponse.SetStatusRedirect(302, '/login.dws');
// Permanent redirect (301)
WebResponse.SetStatusRedirect(301, 'https://example.com/new-path');Handling user sessions and persistence is easy with built-in cookie support.
// Setting a cookie
WebResponse.SetCookie('SessionID', '12345', Now + 1); // Expires tomorrow
// Getting a cookie
var session := WebRequest.Cookie['SessionID'];For session cookies and sensitive data, always use security flags. The SetCookie method accepts a bitmask for flags and an enumeration for SameSite.
uses System.Net, System.Crypto;
// Secure session cookie with all protections
var token := CryptographicToken(32);
// Flags bitmask: 1 = Secure, 2 = HttpOnly
// SameSite: 0 = Unspecified, 1 = Strict, 2 = Lax
WebResponse.SetCookie('Session', token, Now + 1, '/', '', 2, WebCookieSameSite.Strict);
// For HTTPS sites, combine Secure (1) and HttpOnly (2)
// WebResponse.SetCookie('Session', token, Now + 1, '/', '', 1 + 2, WebCookieSameSite.Strict);| Flag Value | Name | Description |
|---|---|---|
1 |
Secure |
Only sent over HTTPS connections |
2 |
HttpOnly |
Blocks JavaScript access (prevents XSS theft) |
| SameSite | Description |
|---|---|
Strict |
Best security; only sent for same-site requests |
Lax |
Sent for same-site and top-level cross-site navigations |
Unspecified |
Browser default behavior |
Always encode user-provided text before rendering it to HTML to prevent XSS attacks.
var input := '<script>alert("XSS")</script>';
PrintLn(StrToHtml(input)); // <script>...<script>alert("XSS")</script>
You can push real-time updates to clients using the ServerSentEvents API.
// In your event stream handler script
WebResponse.SetContentEventStream('my-stream');
// In your data producer script (e.g. triggered by a timer or another request)
var event := new WebServerSentEvent;
event.Data.Add('Hello World at ' + FloatToStr(Now));
event.Post('my-stream');For a full list of request headers, status codes, and web utilities, see the reference documentation: