All notable changes to this project will be documented in this file.
$_SERVER['HTTP_X_FORWARDED_PROTO']is now unslashed and sanitized before use, following WPCS input-handling conventions (no functional or security impact — the value was only used in a string comparison; behavior is identical to v1.4.0)- Flipped four comparisons to Yoda condition style (no behavior change)
- Added missing
@packagedocblock tag and corrected docblock spacing (code-style only)
- HTTPS detection no longer uses a hostname-based heuristic (checking for a dot in
HTTP_HOST). It now relies exclusively on a genuineX-Forwarded-Proto: httpsheader, preventing false HTTPS detection on direct, non-proxied connections. home_url()andsite_url()filters are now gated on the detected HTTPS state, so URLs are only rewritten tohttps://when HTTPS has actually been detected. Previously the rewrite was unconditional, which forced HTTPS URLs even on plain-HTTP paths.
- Initial public release
- Enforces HTTPS detection behind reverse proxies
- Corrects REST API resolution for Rank Math
- Skips enforcement during WP-CLI operations