=== WordSentinel ===
Contributors: nexsol, victorlago, maxouhell, guerricm
Donate link: https://buymeacoffee.com/nexsol.team
Tags: security headers, clickjacking, headers, CSP, SSL
Requires at least: 5.8
Requires PHP: 7.0
Tested up to: 6.9
Stable tag: 1.2.5
License: GPLv3
License URI: https://www.gnu.org/licenses/gpl-3.0.html
Commercial: This plugin is free but offers additional paid commercial upgrades or support.

Secure your WordPress website with advanced HTTP headers, intelligent CSP management, and integrated Mozilla Observatory security analysis.

== Description ==

The **WordSentinel** plugin by **Nexsol Technologies Sàrl** enhances your WordPress website’s security by automatically applying and managing **HTTP security headers** — including **Content Security Policy (CSP)** — while providing live security analysis powered by **Mozilla Observatory**.

Unlike simple header managers, WordSentinel actively helps you understand, measure, and improve your site’s protection.  
It provides clear dashboards, actionable insights, and real-time grading so you can reinforce your headers with confidence — no deep technical knowledge required.

= What WordSentinel Does =

WordSentinel helps protect your WordPress website against common web vulnerabilities such as:
- Cross-Site Scripting (**XSS**)  
- Clickjacking attacks  
- Content injection and mixed content issues  
- Insecure resource loading (scripts, iframes, styles)

It does so by implementing a complete and configurable set of **browser-level security headers**, giving you granular control over each directive.

In addition, it connects securely to **Mozilla Observatory** to scan your site and assign a **security grade** (A+ to F), helping you benchmark your configuration and understand what needs improvement.

= Key Features =

* **Comprehensive HTTP Header Management**  
  Easily configure headers such as:  
  - Content Security Policy (CSP)  
  - Strict-Transport-Security (HSTS)  
  - X-Frame-Options  
  - Referrer-Policy  
  - X-Content-Type-Options  
  - Permissions-Policy  

* **Real-Time Security Analysis**  
  Instantly scan your site via Mozilla Observatory and get a visual security grade.  
  The plugin automatically handles rate limits with built-in cooldown protection.

* **Advanced CSP Management**  
  Create, test, and refine your CSP rules dynamically.  
  WordSentinel now supports automatic **hash generation for inline scripts and styles**, improving both flexibility and security.

* **Smart License and Subscription System**  
  The free version covers essential headers and analysis.  
  Premium users unlock advanced CSP tools, automatic reports, and custom integrations.  
  Licenses are securely validated through Nexsol’s API and cached locally for 24 hours.

* **Optimized for Local and Production Environments**  
  Automatically detects if you are running on localhost and disables API calls for safe testing.

* **Performance and Privacy First**  
  WordSentinel is lightweight, privacy-respecting, and runs entirely within WordPress.  
  No telemetry, analytics, or tracking are ever collected.

* **Multilingual and Accessible Interface**  
  Translated into six languages with an adaptive design inspired by Mozilla’s clean security aesthetic.

= Why Choose WordSentinel? =

- Easy setup — no coding skills required  
- Combines security headers and observatory analysis in one plugin  
- Works seamlessly with most WordPress security and caching plugins  
- Developed and maintained by Nexsol Technologies, a Swiss-based IT company  
- Transparent, privacy-respecting, and GPL-licensed

WordSentinel merges modern web security standards with a simple and intuitive configuration experience — making it a must-have for both developers and site owners who care about protection and compliance.

== External Services and API Usage ==

WordSentinel securely connects to a small number of external APIs to perform license validation and site analysis:

- **Mozilla Observatory API** – Used to analyze your website’s HTTP headers and generate a public security grade.  
  Data sent: only your site’s public URL.  
  Service: https://observatory.mozilla.org/api/

- **Nexsol License Validation API** – Used to verify premium licenses and maintain secure feature access.  
  Data sent: license key only.  
  Service: https://api.nexsol-tech.ch/wordsentinel/licenses

- **Nexsol Public Key API** – Used to securely retrieve the public keys required for validating license signatures.  
  Data sent: none.  
  Service: https://api.nexsol-tech.ch/wordsentinel/certs

All requests are transmitted securely via HTTPS.  
WordSentinel never sends personal information, usage analytics, or tracking data of any kind.

== Languages Supported ==

* English (default)
* Français (fr_FR)
* Deutsch (de_DE)
* Italiano (it_IT)
* Español (es_ES)
* Português Brasileiro (pt_BR)

== Installation ==

1. **Install WordSentinel**
   - Upload the plugin files to `/wp-content/plugins/wordsentinel/`, or install it directly from the WordPress Plugin Directory.  
   - Activate the plugin through the **Plugins** screen in WordPress.

2. **Run Your First Security Scan**
   - Navigate to **WordSentinel → Dashboard** in your admin sidebar.  
   - The first scan should run automatically, but if not you can click “Launch Scan” to analyze your site with **Mozilla Observatory**.  
   - View your grade and detailed results instantly.

3. **Configure Your Security Headers**
   - Go to the **Headers** tab, you will see that all options are enabled by default, you can toggle on and off HTTP headers such as CSP, HSTS, and Referrer-Policy.  
   - Save changes if you made any and verify results with another scan by clicking on “Launch Scan” at the top of the dashboard.

4. **Review Your Site**
   - Test your website normally to ensure compatibility with your active theme and plugins.  
   - WordSentinel automatically excludes the Divi Builder admin pages from CSP enforcement for a smooth experience.

5. **(Optional) Activate Premium Features**
   - Enter your license key under **WordSentinel → License** to unlock the **Advanced CSP** tab.  
   - Premium users gain access to granular Content Security Policy management, automatic hashing, and advanced resource control.

   Once activated, open the **Advanced CSP** tab to fine-tune how your website handles external resources and inline code.  
   Each field corresponds to a specific type of resource that browsers enforce under the CSP standard:

   * **Script Sources (`script-src`)** – Defines the trusted locations for JavaScript files.  
     Add domains such as `https://cdnjs.cloudflare.com` or `https://www.googletagmanager.com` if your site uses external scripts.  
     WordSentinel automatically hashes inline scripts when hashing is enabled.

   * **Style Sources (`style-src`)** – Controls which URLs can load CSS.  
     Include domains like `https://fonts.googleapis.com` for Google Fonts, or your CDN if styles are served externally.  
     WordSentinel can also hash inline styles for maximum compatibility and security.

   * **Image Sources (`img-src`)** – Specifies where images are allowed to load from.  
     For example, you might whitelist `https://cdn.yourhost.com` or `data:` if your theme uses base64-encoded images.

   * **Font Sources (`font-src`)** – Used for font files such as `.woff` or `.woff2`.  
     Common examples include `https://fonts.gstatic.com` or your CDN’s domain.

   * **Frame Sources (`frame-src`)** – Controls which external pages can be embedded in `<iframe>` elements.  
     For example, to allow YouTube or Vimeo embeds, add `https://www.youtube.com` and `https://player.vimeo.com`.

   * **Connect Sources (`connect-src`)** – Defines which endpoints can be called using APIs like `fetch()` or WebSockets.  
     This is critical for AJAX-heavy websites or third-party integrations.

   * **Media Sources (`media-src`)** – Whitelist locations for video or audio files.  
     If your website uses external streaming or hosted media, list their domains here.

   * **Default Sources (`default-src`)** – Acts as a fallback policy for any type of resource not covered above.  
     When in doubt, set this to `'self'` to restrict everything to your domain unless explicitly whitelisted elsewhere.

  ---
  💡 **When a Resource is Blocked**

  If your browser’s console shows an error such as:

    Refused to load the script from 'https://example.com'
    because it violates the Content Security Policy directive: "script-src 'self'"

  That means **WordSentinel is actively protecting your website** — the CSP is doing its job.  
  To resolve the issue, simply copy the indicated domain (`https://example.com`) and add it to the corresponding source list (e.g. “Script Sources”) in the **Advanced CSP** tab.  
  Save your changes, refresh your site, and the resource will load securely while keeping full CSP protection active.

  ---
  WordSentinel’s premium CSP module is designed to make advanced header configuration safe and understandable, even for non-developers — giving you both control and peace of mind.

== Frequently Asked Questions ==

= 1. What are HTTP security headers? =
HTTP security headers tell browsers how to handle your site’s resources safely, helping to prevent data leaks and malicious injections.

= 2. Do I need coding skills to use WordSentinel? =
No. Everything is managed through an intuitive interface with clear explanations and automatic validation.

= 3. Why does the “Scan” button have a cooldown? =
To comply with Mozilla Observatory’s API limits and prevent overloading the service, scans are limited to one per site every few minutes.

= 4. Will WordSentinel conflict with my caching or firewall plugins? =
No. WordSentinel adds headers at the HTTP level and is compatible with most caching, CDN, and security tools including Wordfence and Cloudflare.

== Screenshots ==

Protect your website with WordSentinel. 

1. The dashboard gives you an overview of your site's current ratings, scan history and benchmark comparison.
2. The dashboard gives you an overview of your site's current ratings, scan history and benchmark comparison.
3. The dashboard gives you an overview of your site's current ratings, scan history and benchmark comparison.
4. WordSentinel lets you configure which header is active.
5. Advanced CSP configuration panel, in this tab you can whitelist the external resources and assure a fully functional website without lowering the level of protection.

== License ==
This plugin is licensed under the GPLv2 or later.  
See the GPLv2 License for details: https://www.gnu.org/licenses/gpl-2.0.html

== Support ==
For documentation, updates, and premium features, visit https://nexsol-tech.ch/wordsentinel

== Changelog ==

= 1.2.4 – Novermber 11, 2025 =
* Improvement: Enhanced default CSP header in the free version to provide stronger baseline security for all users.

= 1.2.3 – October 31, 2025 =
* Feature: Added Domain Resource Scan — automatically detects external resources (scripts, styles, images, etc.) used on the site and adds them to the advanced CSP configuration.
* Feature: Added Launch resource scan button with integrated spinner and live status feedback.
* Improvement: Enhanced Advanced CSP tab with explanatory text and visual separation between user-defined and automatically detected sources.
* Improvement: Unified logic for license validation and domain scanning to reduce duplicate code.
* Improvement: Added full multilingual support (EN, FR, DE, ES, IT, PT-BR) for new scan-related messages.
* Fix: Corrected handling of CSP detected directives to ensure consistent key naming and reliable display in the admin UI.

= 1.2.2 – October 31, 2025 =
* Maintenance release: minor stability improvements and compatibility updates.
* Fix: Minor bug fixes.
* Improvement: Optimized async loading sequence for admin panels.
* Improvement: Updated translation strings and ensured full synchronization across all languages.

= 1.2.1 – October 24, 2025 =
* Feature: Added plugin screenshots for the WordPress.org listing.
* Improvement: Added screenshot descriptions for better presentation on plugin page.
* Fix: Minor alignment adjustments in admin panels.

= 1.2.0 – October 24, 2025 =
* Feature: Added hashing support for inline style tags in CSP.
* Improvement: Enhanced admin UI with asynchronous panel loading and smooth animations.
* Improvement: Centralized all license management logic in a single class.
* Improvement: Implemented 24-hour caching for license validation to reduce API requests.
* Improvement: Refined license validation messages and overall flow.
* Improvement: Excluded Divi Builder admin pages from CSP enforcement for compatibility.
* Improvement: Adopted Mozilla Observatory color palette for grade visuals.
* Improvement: Optimized execution order and structure of admin-script.js.
* Improvement: Completed translations in six languages (EN, FR, DE, ES, IT, PT-BR).
* Fix: Minor visual inconsistencies in the grade display panels.

= 1.1.0 – June 6, 2025 =
* Feature: Introduced premium features and subscription-based licensing system.
* Feature: Added advanced CSP management tools for premium users.
* Improvement: Enhanced security scanning with automated reporting.
* Improvement: Integrated secure license key validation and JWT handling.
* Improvement: Updated admin interface with clearer notices and refined UX.
* Improvement: Localized all plugin assets to remove CDN dependencies.
* Fix: Improved sanitization, nonce verification, and escaping across admin forms.
* Fix: Minor styling and layout inconsistencies.

= 1.0.2 – March 1, 2025 =
* Improvement: Confirmed compatibility with WordPress 6.8.

= 1.0 – February 2025 =
* Feature: Initial release with Mozilla Observatory integration.
* Feature: Added dashboard view and retry functionality with cooldown protection.

== Upgrade Notice ==
No upgrade notices available yet.