Skip to content

Security

Jump to bottom
webdesign29 edited this page Jun 13, 2026 · 1 revision

Security

Trust model

  • Auto mode talks only to 127.0.0.1:80. The bext purge-proxy and SDK endpoints are loopback-gated on the bext side; no credentials are sent or needed.
  • Cloud mode sends an Authorization: Bearer <token> to a remote endpoint. The token is the trust boundary — see below.

The purge token (BEXT_PURGE_TOKEN)

  • Opt-in: the bext endpoint only honors a bearer token when BEXT_PURGE_TOKEN is set in the bext server's environment. Unset → remote purge is rejected (loopback/admin only).
  • Scoped: the token authorizes only POST /__bext/cache/purge-proxy, not the rest of the /__bext/* surface.
  • Constant-time comparison (bearer_token_eq), with empty/length-mismatch rejected.
  • Use a long random secret over HTTPS; rotate by updating both the env var and the plugin setting.
  • Known limitation: a valid token may purge any host it names. Per-tenant scoping (one token → one host) is planned. Keep a token within a single trust boundary.

WordPress side

  • Admin pages and handlers require manage_options and verify a nonce (check_admin_referer / wp_nonce_field).
  • Output is escaped (esc_html / esc_url / esc_attr); request input is wp_unslash+sanitized.
  • The admin-bar "Purge this URL" link never reflects the raw request URI (avoids the classic add_query_arg reflected-XSS), and all admin-bar hrefs are esc_url-wrapped.
  • The plugin never edits wp-config.php, disables third-party plugins, or stores secrets in the repo. Tokens/keys live in the bext_wp_settings option or wp-config constants.

Personalization

Logged-in, WooCommerce-cart, comment-author, and preview requests get Cache-Control: private, no-store so a personalized response can never be cached under the anonymous key.

Failure handling

Every bext call is time-bounded and is_wp_error-checked; a failure can never break a WordPress request (the SDK email bridge falls back to native wp_mail, purges are fire-and-forget, etc.).

Reporting issues

Found a vulnerability? Please open a private advisory on the repository (Security → Report a vulnerability) rather than a public issue.

bext-wp · GPL-2.0-or-later · Sponsored by webdesign29 & Inklura · bext.dev

Home

Getting started

Features

Reference

Operations

Clone this wiki locally