-
Notifications
You must be signed in to change notification settings - Fork 0
Security
Scriptomatic is built with security as a top priority. This page describes the protections in place.
Only users with the manage_options capability (Administrators) can:
- Access any Scriptomatic admin page
- Save scripts, URLs, or file content
- Access the REST API
- Run WP-CLI commands
Non-admin users are rejected with wp_die() on page load and WP_Error from the REST API.
Every form submission carries two nonces:
- The WordPress Settings API nonce (
_wpnonce) - A secondary location-specific nonce (
SCRIPTOMATIC_HEAD_NONCE/SCRIPTOMATIC_FOOTER_NONCE)
Both are verified on every save. AJAX rollback and file operations use their own dedicated nonces.
All script content passes through a central validation pipeline:
| Check | Detail |
|---|---|
| UTF-8 validity | Content must be valid UTF-8 |
| Control characters | Disallowed control characters are rejected |
| Maximum length | Inline scripts: 100 KB. JS file uploads: server upload_max_filesize
|
| PHP tag detection |
<?php and ?> tags are rejected |
| Dangerous HTML tags |
<iframe>, <object>, <embed>, <link>, <style>, <meta> trigger a warning |
<script> stripping |
<script> and </script> tags are automatically stripped (prevents double-wrapping) |
See REST API Reference → Access Controls for full details.
Three independent controls in Preferences:
-
Enable / Disable —
503 rest_api_disabledwhen off -
IP Allowlist —
403 rest_ip_forbiddenfor unlisted IPv4/IPv6/CIDR -
Allowed Users —
403 rest_user_forbiddenfor unlisted administrators
All REST endpoints are POST-only. Authentication exclusively via WordPress Application Passwords.
All upload paths (admin UI, REST API, WP-CLI) run through the same central validator:
- Extension must be
.js - MIME type validated via
finfo_open()/mime_content_type()fallback - File size checked against
wp_max_upload_size() - Must be a genuine HTTP file upload (
is_uploaded_file()) — CLI callers use a synthetic flag to bypass this check safely - All uploads are recorded in the Activity Log
All queries against the custom {prefix}scriptomatic_log and {prefix}scriptomatic_prefs_log tables use $wpdb->prepare() with typed placeholders (%i, %d, %s). No raw SQL from user input is ever concatenated into a query.
All content displayed in the WordPress admin interface is escaped with the appropriate WordPress escaping function (esc_html(), esc_attr(), esc_url(), wp_kses_post()) before output.
Every change — regardless of channel (Dashboard, REST API, WP-CLI) — is recorded in the Activity Log with a Via column. See Activity Log & Rollback for full details.
IP addresses are intentionally not logged (privacy decision).
Please report security vulnerabilities privately via:
- Email: See SECURITY.md
- GitHub: Security Advisories
Do not open a public GitHub issue for security vulnerabilities.
← Home