HTTP Responses

The PdfResponse class provides secure, standards-compliant HTTP response helpers for delivering PDFs to the browser. It sets all required headers automatically, including security headers that prevent MIME-sniffing and caching of sensitive documents.

use Yeeefang\TcpdfNext\Laravel\Http\PdfResponse;

Inline Display

Render the PDF directly in the browser's built-in viewer with Content-Disposition: inline:

use Yeeefang\TcpdfNext\Laravel\Facades\Pdf;
use Yeeefang\TcpdfNext\Laravel\Http\PdfResponse;

public function preview(Invoice $invoice)
{
    $pdf = Pdf::create()
        ->setTitle("Invoice #{$invoice->number}")
        ->addPage()
        ->setFont('Helvetica', '', 12)
        ->cell(0, 10, "Invoice #{$invoice->number}");

    return PdfResponse::inline($pdf, "invoice-{$invoice->number}.pdf");
}

Force Download

Trigger the browser's save-file dialog with Content-Disposition: attachment:

public function download(Invoice $invoice)
{
    $pdf = Pdf::create()
        ->setTitle("Invoice #{$invoice->number}")
        ->addPage()
        ->setFont('Helvetica', '', 12)
        ->cell(0, 10, "Invoice #{$invoice->number}");

    return PdfResponse::download($pdf, "invoice-{$invoice->number}.pdf");
}

Security Headers

Both inline() and download() automatically set these headers:

Header	Value	Purpose
Content-Type	application/pdf	Correct MIME type
Content-Disposition	inline or attachment	Display mode
X-Content-Type-Options	nosniff	Prevent MIME-sniffing attacks
Cache-Control	no-store, no-cache, must-revalidate	Prevent caching sensitive PDFs
Content-Length	<byte count>	Enables download progress bars

These defaults follow OWASP secure headers recommendations.

Streaming Large PDFs

For documents that exceed available memory, stream chunks directly to the output buffer:

public function downloadLargeReport()
{
    $pdf = Pdf::create()->setTitle('Annual Report');

    foreach ($sections as $section) {
        $pdf->addPage()
            ->setFont('Helvetica', '', 11)
            ->multiCell(0, 6, $section->content);
    }

    return PdfResponse::stream($pdf, 'annual-report.pdf');
}

PdfResponse::stream() returns a StreamedResponse with constant memory usage regardless of document size.

Method Signatures

public static function inline(PdfDocumentInterface $pdf, string $filename): Response;
public static function download(PdfDocumentInterface $pdf, string $filename): Response;
public static function stream(PdfDocumentInterface $pdf, string $filename): StreamedResponse;

Response Macros

The package registers two response macros for convenience:

return response()->pdf($pdf, 'report.pdf');         // download
return response()->pdfInline($pdf, 'report.pdf');   // inline

These macros delegate to PdfResponse methods, so all security headers are applied.

Filename Sanitization

PdfResponse sanitizes the filename to prevent header injection. Characters outside [a-zA-Z0-9._-] are stripped and .pdf is enforced:

// Input: "../../etc/passwd"  ->  Sanitized: "etcpasswd.pdf"
return PdfResponse::download($pdf, $userInput);

Next Steps

• Pdf Facade — Document creation and testing
• Queue Jobs — Offload heavy PDFs to background workers
• Configuration — Customize default headers and behavior