Files
hub-insurance/.claude/skills/wp-plugin-development/references/security.md
T
2026-07-02 15:54:39 -06:00

787 B

Security guardrails (plugin work)

Use this file when making security fixes or when handling any input/output.

Nonces + permissions

  • Nonces help prevent CSRF, not authorization.
  • Always pair nonces with capability checks (current_user_can() or a more specific capability).

Upstream reference:

Sanitization and escaping

Golden rule:

  • sanitize/validate on input, escape on output.

Practical rules:

  • never process the entire $_POST / $_GET array; read explicit keys
  • use wp_unslash() before sanitizing when needed
  • use prepared statements for SQL; avoid interpolating user input into queries

Common review guidance: