=== Toply SkimShield ===
Contributors: toply
Tags: woocommerce, security, checkout, script-monitoring, pci-dss
Requires at least: 5.8
Tested up to: 7.0
Stable tag: 1.0.4
Requires PHP: 7.4
Requires Plugins: woocommerce
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Real-time script integrity monitoring and CSP automation for WooCommerce checkout. No API dependencies. Detects unauthorized scripts on checkout.

== Description ==

= The Problem =

Imagine a hacker silently adds a piece of JavaScript code to your WooCommerce checkout page. Every time a customer types in their credit card number, that hidden code copies it and sends it to the hacker — without you or your customer ever knowing. This type of attack is called **checkout skimming**, and it is one of the most common ways online stores get compromised.

Toply SkimShield protects you by watching your checkout page and alerting you the moment anything changes.

= How It Works =

**Step 1 — Takes a snapshot**
When you run the first scan, the plugin looks at every JavaScript file loaded on your checkout page and saves a unique fingerprint (a hash) for each one. This becomes your approved baseline — the "normal" state of your checkout.

**Step 2 — Watches for changes**
Every time someone visits your checkout page, the plugin silently compares the live scripts against that saved baseline. If everything matches, nothing happens. If a new script appears or an existing one has been modified, the plugin raises an alert immediately.

**Step 3 — Notifies you by email**
The moment a suspicious change is detected, you receive an email with details: which script changed, what it looked like before, what it looks like now, and a direct link to review it in your dashboard.

**Step 4 — You decide what is legitimate**
In the admin dashboard you see a list of all scripts found on your checkout page. You approve the ones you recognise (WooCommerce, Stripe, PayPal, Google Analytics, etc.) and block anything that looks suspicious. The plugin remembers your decisions.

**Step 5 — Optionally block unauthorised scripts entirely (CSP)**
Once you have approved all your legitimate scripts, you can turn on the Content Security Policy feature. This tells the browser: "do not run any script on the checkout page that is not on the approved list." Even if a hacker manages to inject a script, the browser will refuse to execute it.

= Think of It Like a Security Camera for Your Checkout =

The first scan registers who is allowed in. Every visit after that checks: is there anyone new? If yes — alarm. No technical knowledge required to use it.

= Features =

* **Script monitoring** — detects new or modified scripts on every checkout page load
* **Instant email alerts** — notified the moment something changes, via the standard WordPress email system
* **Script whitelist** — approve or block scripts with one click from the admin dashboard
* **Content Security Policy** — automatically generates a CSP header based on your approved scripts; start in Report-Only mode to avoid breaking checkout, then switch to Enforce when ready
* **PCI-DSS compliance report** — generates a printable report covering requirements 6.4.3 and 12.10, ready to show to your payment processor or auditor
* **No external dependencies** — everything runs on your own server, no API keys, no third-party services, no data sent anywhere

= Who Needs This =

* Any WooCommerce store that accepts card payments
* Store owners who want to know immediately if their checkout page is tampered with
* Agencies managing WooCommerce stores on behalf of clients
* Stores that need to demonstrate PCI-DSS compliance

== Installation ==

1. Upload the `toply-skimshield` folder to the `/wp-content/plugins/` directory, or install directly through the WordPress plugin screen
2. Activate the plugin through the 'Plugins' screen in WordPress
3. Navigate to **SkimShield** in the WordPress admin sidebar menu
4. Click **Scan Now** on the Dashboard tab to detect and register all current checkout scripts
5. Go to the **Script Whitelist** tab — review the detected scripts and click **Approve** on each one you recognise
6. Optionally enable CSP in **Settings** starting with Report-Only mode, then switch to Enforce after 48 hours

== How to Test This Plugin ==

**Prerequisites:** WooCommerce must be active with at least one published product and a functioning checkout page (your shop must have a `/checkout/` page set up by WooCommerce).

**Step-by-step test procedure:**

1. **Install and activate** the plugin. Navigate to **SkimShield** in the admin sidebar.

2. **Run a manual scan** — on the Dashboard tab, click the **Scan Now** button. The plugin fetches the WooCommerce checkout page and extracts every script tag (both external `<script src="…">` and inline `<script>…</script>`).

3. **View detected scripts** — click the **Script Whitelist** tab. You will see a table listing all scripts found on the checkout page, each with its handle, source URL (or inline snippet), type (enqueued/inline), SHA-256 hash, and status (Pending).

4. **Approve scripts** — click the **Approve** button next to each legitimate script. The status changes to "Approved".

5. **Verify real-time monitoring** — visit your store's checkout page as a normal visitor (front-end). The plugin hooks into `wp_enqueue_scripts` at priority `PHP_INT_MAX` and records every script loaded. New scripts trigger an entry in the Incidents log.

6. **Check the Incidents tab** — any scripts detected for the first time generate an incident with severity "High". A hash change (simulating a tampering event) generates a "Critical" incident.

7. **Test email alerts** — make sure the Alert Email address in **Settings** is a deliverable inbox. Visit the checkout page with a browser. If any new script is detected, an HTML email is sent immediately via `wp_mail()`.

8. **Enable CSP (optional)** — go to **Settings**, enable "CSP Header", leave "Report-Only Mode" checked, and save. Visit the checkout page. The `Content-Security-Policy-Report-Only` HTTP header will now be present (verify with browser DevTools → Network → checkout request headers).

9. **Generate a compliance report** — click the **PCI-DSS Report** tab and review the auto-generated report covering requirements 6.4.3 and 12.10.

**Expected results after running Scan Now:**
- The Script Whitelist tab shows all scripts that are on the checkout page
- Each row shows the script handle, source, type (enqueued or inline), a truncated SHA-256 hash, and status
- Approve/Block/Remove action buttons are functional
- The Dashboard shows the count of Approved, Pending, and Blocked scripts

== Frequently Asked Questions ==

= Will this break my checkout? =

No. The monitoring is passive — it reads scripts, doesn't modify them. The CSP feature starts in Report-Only mode by default (scripts are not blocked, only logged), giving you time to whitelist all legitimate scripts before enforcing.

= Does it require any API key or external account? =

No. The plugin runs entirely on your WordPress server. No API keys, no external services.

= What happens when a legitimate plugin update changes a script? =

The plugin detects the hash change and alerts you. You simply review the change (which you would expect after a plugin update), confirm it is legitimate, and approve the new hash. The system learns your updated baseline.

= Does it support inline scripts? =

Yes. The scheduled scan (hourly by default) fetches the checkout page HTML and extracts both external script sources and inline script content, hashing each one.

= How does it send alerts? =

Via wp_mail() — the standard WordPress email system. No SMTP configuration is required beyond what your WordPress installation already has.

= Is it compatible with Stripe, PayPal, and other gateways? =

Yes. The plugin monitors all scripts on the checkout page regardless of which payment gateway you use. Popular payment gateway scripts (Stripe.js, PayPal SDK) will be detected on first scan and added to the whitelist for your approval.

= Nothing appears in the Script Whitelist after scanning — why? =

The manual scan fetches the checkout page via `wp_remote_get()`. Make sure:
- WooCommerce is active and a `/checkout/` page exists
- The checkout page is publicly accessible (not behind a password or maintenance mode)
- Your server can make outgoing HTTP requests to itself (loopback connections are enabled)

You can verify loopback connectivity from **Tools → Site Health → Info → WordPress Constants** — `WP_HTTP_BLOCK_EXTERNAL` should not be set to `true`.

== External services ==

This plugin does **not** connect to any external service for its core functionality. All script monitoring and hashing is performed locally on your server.

The auto-generated Content Security Policy (CSP) template includes default `frame-src` origins for common payment gateways (`https://www.paypal.com`, `https://js.stripe.com`, `https://fonts.gstatic.com`). These are included only as a default starting point to prevent checkout from breaking when you first enable the CSP feature. No data is transmitted by this plugin to those domains — the browser uses the CSP header to decide which external resources to load, independently of this plugin.

If your store does not use PayPal or Stripe, you can remove those origins via the Custom CSP Directives field in Settings.

== Screenshots ==

1. Dashboard — overview of protection status, recent incidents, and CSP policy
2. Script Whitelist — all checkout scripts with one-click approve/block actions
3. Incidents log — full history of detected anomalies with severity levels
4. PCI-DSS Compliance Report — printable compliance report for auditors
5. Settings — configure monitoring, alerts, and CSP behavior

== Changelog ==

= 1.0.4 =
* Fix: Script source column now wraps to show the full path instead of truncating with ellipsis

= 1.0.3 =
* Fix: Incidents badge and security alert now show only unresolved incidents (previously counted resolved incidents too)

= 1.0.2 =
* Add: Bulk "Resolve Selected" with checkboxes on the Incidents tab
* Add: "Resolve All" button to resolve all open incidents at once
* Add: Bulk "Approve Selected" with checkboxes on the Script Whitelist tab
* Add: "Approve All Pending" button to approve all pending scripts at once

= 1.0.1 =
* Fix: Incidents tab showed "No incidents recorded" even when incidents existed (variable name mismatch in admin controller)

= 1.0.0 =
* Initial release
* Script hash monitoring via WordPress hooks and scheduled scans
* Content Security Policy header generation and management
* Script whitelist with approve/block/delete actions
* Instant email alerts via wp_mail()
* PCI-DSS v4.0 compliance report (requirements 6.4.3, 12.10)
* Incident log with severity levels and resolution tracking

== Upgrade Notice ==

= 1.0.4 =
Fix: full script path now visible in whitelist and incidents tables.

= 1.0.3 =
Fix: incidents badge now excludes resolved incidents.

= 1.0.2 =
Adds bulk resolve and bulk approve actions for faster incident management.

= 1.0.1 =
Bug fix: Incidents tab now correctly displays all recorded security incidents.

= 1.0.0 =
Initial release.
