Wheels 4.0 — 40+ security-hardening PRs, bucketed and linked

[bpamiri]

Security was one of the largest investments in the 4.0 cycle. This post summarizes what changed, grouped by theme. Every claim links to a merged PR in the full audit.

Themes

SQL injection

Every interpolation path into generated SQL was audited. The fixes:

• QueryBuilder — property + operator validation before substitution (#2025).
• ORDER BY — same parser as WHERE, rejects untrusted identifiers (#2026).
• $quoteValue — proper single-quote escaping (#2033).
• Scope handlers — argument sanitization (#2043, #2045, #2056, #2061, #2070, #2090).
• Enum WHERE clauses — proper value binding (#2023, #2056, #2070).
• include in UPDATE — identifier validation (#2047).
• Index hints — $indexHint now validates (#2058).
• Geography and WKT — SRID and WKT handling tightened (#2044, #2055).

Path traversal

• Partial rendering — includePartial("../...") blocked (#2071).
• guideImage endpoint (#2037).
• MCP documentation reader (#2049).
• Encoded-bypass attempts (#2089).

Console / reload

• consoleeval hardened — POST-only, robust IPv6, Content-Type checks (#2059).
• Reload password comparison — constant-time + rate-limiting (#2077), hash-based (#2022).

Defaults hardened (7 breaking changes)

• CORS default: wildcard → deny-all (#2039).
• HSTS default-on in production (#2081) with explicit off-switch in 4.0.x (#2195).
• CSRF cookie SameSite default (#2035).
• RateLimiter trustProxy=false (#2024).
• RateLimiter proxy strategy last (#2088).
• allowEnvironmentSwitchViaUrl false in production (#2076).
• Non-empty reload password required for env switching in production (#2082).

Additionally, RateLimiter now fails closed on lock timeout rather than open (#2069).

MCP endpoint

Used by AI coding assistants; tightened end-to-end:

• Auth gate + input validation (#2050).
• Path-traversal guards (#2049, #2062).
• Error suppression (#2072).
• Port validation (#2075).
• Structural allowlist for commands (#2083).
• CSRNG session tokens (#2087).
• Shell-argument sanitization in db shell + deploy (#2040, #2068, #2073).

Upgrade guidance

Each breaking change is covered in the upgrade guide with a consistent detect / fix / opt-out structure. The Legacy Compatibility Adapter provides a soft-landing path for staged migrations.

Question for the thread

If you run security audits of your stack, which of these categories would you most want to see expanded in 4.0.x point releases? The framework side is tightened; the gap is in documentation and in patterns for application-level security (auth, session storage, MFA).

Read the full post: https://blog.wheels.dev/posts/security-hardening-in-wheels-4/