Docs / Security
Security
- All database queries use
$wpdb->prepare()or$wpdb->insert()with format arrays - All output is escaped with
esc_html(),esc_attr(),esc_url(), orwp_kses() - Forms protected with
wp_nonce_field()/check_admin_referer() - Capability checks on every admin action (
reslab_al_view_log,reslab_al_clear_log,reslab_al_manage_settings) - IP resolution only trusts forwarded headers from explicitly whitelisted proxy IPs
- CSV export neutralises cell values that would otherwise be interpreted as spreadsheet formulas (CSV/Formula injection)
- Archive downloads use random filenames + a directory-listing-blocking
index.phpstub, and are only ever served through a nonce +reslab_al_view_log-gated handler — never a public/guessable URL - REST endpoint requires
reslab_al_view_logvia WordPress's standard Application Passwords auth; no custom API-key scheme to get wrong