Reslab Activity Log

Docs / Security

Security

  • All database queries use $wpdb->prepare() or $wpdb->insert() with format arrays
  • All output is escaped with esc_html(), esc_attr(), esc_url(), or wp_kses()
  • Forms protected with wp_nonce_field() / check_admin_referer()
  • Capability checks on every admin action (reslab_al_view_log, reslab_al_clear_log, reslab_al_manage_settings)
  • IP resolution only trusts forwarded headers from explicitly whitelisted proxy IPs
  • CSV export neutralises cell values that would otherwise be interpreted as spreadsheet formulas (CSV/Formula injection)
  • Archive downloads use random filenames + a directory-listing-blocking index.php stub, and are only ever served through a nonce + reslab_al_view_log-gated handler — never a public/guessable URL
  • REST endpoint requires reslab_al_view_log via WordPress's standard Application Passwords auth; no custom API-key scheme to get wrong