docs/hardening.instructions.md
Use these code hardening rules for automated reviews with minimal false positives.
Trust boundary model: Apply input-validation rules only at the first untrusted ingress point (HTTP/JSON API body or query string, WebSocket payload, UDP datagram, TCP read, serial command, ESP-NOW raw messages). Values that have been validated and range-clamped at ingress are trusted for internal WLED processing. Do not flag subsequent uses or internal copies of already-sanitized data.
memcpy, memmove, strcpy) in firmware paths when source buffer or size comes from an untrusted origin; prefer bounded alternatives (strncpy, strlcpy); require length validation before copying.DEBUG_PRINTF* and similar logging APIs.innerHTML, unsafe HTML insertion). Server-side generation of JavaScript property-assignment statements (as used in WLED's printSetForm* helpers) is exempt.eval, new Function, string timers).wsec.json.@main/@master disallowed).strcmp, strchr, strlen, sprintf) in firmware paths; prefer bounded alternatives (strnlen, strncmp, snprintf).String growth in hot paths; prefer bounded/pre-allocated buffers.postMessage listeners.permissions least-privilege.WLED_ENABLE_* / WLED_DISABLE_* names are valid known flags.