Security Guidelines For Developers

Every custom REST endpoint needs a narrow can_* permission method.
Do not rely on hidden buttons or frontend state for authorization.
Use WordPress nonces for browser requests and server-side capability checks for admin actions.
Sanitize request values and escape output, including ticket bodies, imported email content, filenames, staff notes, and integration data.
Treat email-piped content, chatbot input, guest tickets, and attachments as untrusted.
Do not log application passwords, OAuth tokens, license keys, survey tokens, private notes, raw push tokens, or full email bodies.
Do not expose private ticket/customer data through alsp_frontend_data.
Avoid direct table writes unless you are writing a controlled migration or have reviewed the model side effects.
Make webhook, email import, and external sync jobs idempotent.