diff --git a/CLAUDE.md b/CLAUDE.md index 9ed9d1b..e416d7e 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -32,14 +32,9 @@ This project is proudly **"vibe-coded"** using Claude.AI - the entire codebase w **Note for AI Assistants:** Clean this section after the specific features are done or new releases are made. Effective changes are tracked in `CHANGELOG.md`. Do not add completed versions here - document them in the Session History section at the end of this file. -### Version 0.7.0 +### Version 0.7.1 -This is a security version. It includes a full security audit and a remote check of a live version of this plugin on . The shop is the property of the plugin developer, all actions are permitted. - -- Check the sourcecode for best practises of all involved components, including checks for SQLi, XSRF, XSS and similar techniques -- Check the remote version for the OWASP Top 10 -- Check the whole licensing workflow -- Minimize the thread vectors +No pending features ## Technical Stack @@ -60,6 +55,13 @@ This is a security version. It includes a full security audit and a remote check - Nonce verification on form submissions - Output escaping in templates (`esc_attr`, `esc_html`, `esc_js`) - Direct file access prevention via `ABSPATH` check +- XSS-safe DOM construction in JavaScript (no `innerHTML` with user data) +- Rate limiting on API endpoints (configurable via `WC_LICENSE_RATE_LIMIT`) +- Rate limiting on frontend operations (transfers: 5/hour, downloads: 30/hour) +- CSV import limits (2MB max, 1000 rows max, 5-minute cooldown) +- IP detection with proxy support via `IpDetectionTrait` (supports `WC_LICENSE_TRUSTED_PROXIES`) +- SQL injection prevention using `$wpdb->prepare()` throughout +- Secure download URLs with hash verification using `hash_equals()` ### Translation Ready