Nonce protection
All admin AJAX endpoints verify wp_verify_nonce( $nonce, 'opwa_admin' ) and check current_user_can('manage_options') before processing.
Input sanitisation
All settings are sanitised on save:
- URLs:
esc_url_raw() - Text:
sanitize_text_field() - HTML fields:
wp_kses_post() - Integers:
intval() - Booleans:
(bool)cast
VAPID private key storage
The VAPID private key PEM is stored in wp_options. Access requires the manage_options capability. If your site has untrusted admin users, consider encrypting the PEM at rest.
REST endpoints
The /beacon, /subscribe, and /unsubscribe endpoints are public (permission_callback: __return_true). They accept only JSON and sanitise all inputs. The beacon endpoint writes aggregated counts only — no raw URL storage.
Push payload
All push payloads are end-to-end encrypted (AES-128-GCM) before transmission. Only the subscriber's browser can decrypt the payload.
Content Security Policy
If your site uses a strict CSP, you will need to allow 'self' for worker-src (for the SW) and connect-src for the beacon REST endpoint.