.Request method

Executed when a request is made to a file, like so:

  • The request will be parsed,
  • the target file located by the HTTP request path,
  • the .Request file located on the target file’s type chain, and
  • the .Request file executed.

Parsing the request

All input data will be passed in on a temporary request file.

Any HTTP GET or POST parameters will be accessible as string attributes of the request file. In case the user uploaded some files with the same request, those will be accessible to you at //request/files/NAME/FILE, where NAME is the variable name, FILE is the uploaded file. Multiple files are supported for each variable name.

Executing the .Request method

The following files are injected in an isolated VM at runtime:

f         - file specified by the request PATH
source    - pointer to the .Request file being executed
request   - access request parameters and HTTP request body, uploaded files
response  - decorate for returning a response

Note: in the sjs-3 interpreter, these files are accessible as variables. You can use them to access the entire filesystem.


To return a HTTP response, decorate the response file.

Interface summary:

- response file body
- response file statusCode property
- response file string attribute `content-type`
- response file string attribute `content-security-policy`
- response file string attribute `location`

Response body

The response file’s body will translate to the HTTP response body.

Response statuscode

The response file’s statusCode property. If 0, defaults to 200. When the location string attribute is set, defaults to 301.

Response Content-Type

The response file’s string attribute content-type will translate to the HTTP header Content-Type.

For common text based content-types, like text/html or text/css, if you ommit the charset, Boomla will automatically expand it for you. Boomla uses UTF-8 character encoding internally and also defaults to this charset for responses.


Set the response file’s string attribute location to the desired URL. If you leave the response file’s statusCode 0, it will default to temporary redirection with statusCode 303. Alternatively, you can set the statusCode to 301 and the HTTP response status-code, caching and search-engine-juice passing will be automatically handled for you. Of course, you can also set a different 3xx statusCode.

Browser security

The string attribute content-security-policy is used to populate the Content-Security-Policy HTTP header, which allows embedding 3rd party resources in your website or embedding your resources in 3rd party sites.

Note: Boomla will pick automatically load any Content-Security-Policy rules from the first .ContentSecurityPolicy file on the target file’s type chain, and set the rules on the response file before executing the .Request method.

See the docs of the .ContentSecurityPolicy file for more details.

Post-processing responses

Boomla is a platform built to simplify web development. The goal of a platform is to centralize the solution of common problems.

Boomla does the following post-processing to text/html responses:

  • apply CSS namespacing (namespace any HTML classes starting with a dash),
  • link the stylesheet generated by .RequestStyle,
  • inject authentication code,
  • inject the client-side frontend toolchain (Toolbar, etc).

Post-processing that applies to all responses:

  • set security headers
  • cache control
  • compress if possible