docs: Add docs for response headers in app scripts (#1736)

keulinho · Isengo1989 · web-flow · commit 445205566508 · 2025-04-17T09:24:59.000+02:00
* docs: Add docs for response headers in app scripts

* Fix lint and spelling issues

* chore: fix spellcheck

* Adjust release version

---------

Co-authored-by: Micha &lt;m.hobert@shopware.com&gt;
diff --git a/.wordlist.txt b/.wordlist.txt
@@ -1369,8 +1369,10 @@ rfc
 roadmap
 Roadmap
 rollbacking
+routeName
 RouteResponse
 routeScope
+routeScopes
 RuleConditionService
 runtime
 RuntimeException
diff --git a/guides/plugins/apps/app-scripts/custom-endpoints.md b/guides/plugins/apps/app-scripts/custom-endpoints.md
@@ -9,10 +9,42 @@ nav:
 
 If you want to execute some logic in Shopware and trigger the execution over an HTTP request or need some special data from Shopware over the API, you can create custom API endpoints in your app that allow you to execute a script when a request to that endpoint is made.
 
+## Manipulate HTTP-headers to API responses
+
 ::: info
-Note that custom endpoints with app scripts were introduced in Shopware 6.4.9.0 and are not supported in previous versions.
+Note that the `response` hook was added in v6.6.10.4 and is not available in earlier versions.
 :::
 
+There is a specific `response` script hook, that allows you to manipulate the HTTP-headers of the response via app scripts.
+This is especially useful to adjust the security headers to your needs.
+
+To add a custom header to every response, you can do the following:
+
+```twig
+// Resources/scripts/response/response.twig
+{% do hook.setHeader('X-Frame-Options', 'SAMEORIGIN') %}
+```
+
+Additionally, you can check the current value of a given header and adjust it accordingly:
+
+```twig
+// Resources/scripts/response/response.twig
+{% if hook.getHeader('X-Frame-Options') == 'DENY' %}
+    {% do hook.setHeader('X-Frame-Options', 'SAMEORIGIN') %}
+{% endif %}
+```
+
+You also have access to the route name of the current request and to the route scopes to control the headers for specific routes:
+
+```twig
+// Resources/scripts/response/response.twig
+{% if hook.routeName == 'frontend.detail.page' and hook.isInRouteScope('store-api') %}
+    {% do hook.setHeader('X-Frame-Options', 'SAMEORIGIN') %}
+{% endif %}
+```
+
+The possible route scopes are `storefront`, `store-api`, `api` and `administration`.
+
 ## Custom Endpoints
 
 There are specialized script-execution endpoints for the `api`, `store-api` and `storefront` scopes.
diff --git a/resources/references/app-reference/script-reference/script-hooks-reference.md b/resources/references/app-reference/script-reference/script-hooks-reference.md
@@ -524,6 +524,18 @@ All available hooks within the Store-API and API
 | **Available Services** | [repository](./data-loading-script-services-reference#RepositoryFacade)<br>[writer](./custom-endpoint-script-services-reference#RepositoryWriterFacade)<br>[config](./miscellaneous-script-services-reference#SystemConfigFacade)<br>[response](./custom-endpoint-script-services-reference#ScriptResponseFactoryFacade)<br> |
 | **Stoppable**          | `true`                  |
 
+#### response
+
+| <!-- -->               | <!-- -->                                                                                                                                                                        |
+|:-----------------------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| **Name**               | response                                                                                                                                                                        |
+| **Since**              | 6.6.10.4                                                                                                                                                                        |
+| **Class**              | `Shopware\Core\Framework\Script\Api\ResponseHook`                                                                                                                               |
+| **Description**        | Triggered on every response<br>                                                                                                                                                 |
+| **Available Data**     | routeName: `string`<br>routeScopes: `array`<br>context: [`Shopware\Core\Framework\Context`](https://github.com/shopware/shopware/blob/trunk/src/Core/Framework/Context.php)<br> |
+| **Available Services** |                                                                                                                                                                                 |
+| **Stoppable**          | `false`                                                                                                                                                                         |
+
 ### store-api-{hook}
 
 **Interface Hook**
