Guard-based security layer
Order Daemon uses a Guard-based security layer for all sensitive operations. Guards cover three concerns:
| Guard type | What it checks |
|---|---|
| Capability guard | Whether the current user has the required WordPress capability |
| Nonce guard | CSRF protection for admin form submissions and AJAX requests |
| Request guard | Validates inbound webhook authenticity (signature/HMAC) |
Every guard check – pass or fail – is recorded in the audit log. This means you have a complete trail of who accessed what and when, including failed access attempts.
The guards are implemented as composable wrappers rather than standalone utilities, so any combination can be applied to a given operation without duplicating logic.
For developer reference on using guards in custom code, see Security Guards.
Webhook endpoint security
The webhook receiver at POST /wp-json/odcm/v1/webhooks/{gateway} is intentionally open so external payment processors can reach it without being logged in. Authentication is provided by the gateway’s own signing mechanism – typically an HMAC signature in a request header.
Built-in adapters (Stripe, PayPal, Generic) validate these signatures before processing the payload. If you build a custom gateway adapter, your validateAuthenticity() method must implement the same check.
Webhook URLs should be treated as credentials: do not share them publicly, and rotate them if you suspect they have been exposed.
Note: Order Daemon webhook endpoints return HTTP 200 even when no rules matched or processing encountered a non-fatal error. This is intentional – payment processors retry on any non-200 response, which can cause duplicate events. Check the Insight Dashboard or the response body for the actual outcome.
REST API access
Admin REST endpoints (Rule Builder CRUD, Audit Log queries, diagnostic endpoints) require the manage_woocommerce capability. This maps to the WooCommerce Administrator and Shop Manager roles by default.
The capability check is enforced at the permission_callback level in every endpoint controller, not just in the UI. Bypassing the admin interface does not bypass the permission check.
Access control recommendations
- Limit the Administrator and Shop Manager roles to users who genuinely need them
- Use strong passwords and two-factor authentication for all admin accounts
- If you use a Web Application Firewall or security plugin, ensure it allows WordPress REST API requests for logged-in admin users – some configurations block
wp-json/requests by default - Treat webhook URLs as credentials: keep them private and use the HMAC signing option when configuring generic webhooks
Debug mode
define('ODCM_DEBUG', true) in wp-config.php enables verbose logging and activates additional diagnostic REST endpoints. These endpoints expose internal state information. Do not enable debug mode in production.