= 3.4.0 - 2026-05-29 =
*   Security - Scope security headers and CSP to front-end requests only (skip admin, AJAX, cron, REST, and login contexts)
*   Security - Make HSTS includeSubdomains and preload opt-in via new hsts_subdomains and hsts_preload settings (base header is now max-age only)
*   Security - Validate GA4 measurement ID against ^G-[A-Z0-9]{4,20}$ at save time with a defense-in-depth guard before output
*   Security - Only write WP_CACHE to wp-config.php when an advanced-cache.php drop-in exists; remove stale constant otherwise
*   Security - Document php_version limitation inline (header_remove only; expose_php must be changed at php.ini/server level)
*   Fix - Replace add_filter('init', ...) with add_action('init', ...) in metatags
*   Fix - De-duplicate pingback removal (now handled solely by Flashspeed_Remove_Pingback_Link)
*   Fix - Remove dead inline CodeMirror init; editors are initialized by flashspeed.js via the .codemirror-js selector
*   Fix - Add wp_footer (priority 0) fallback for body tracking code on themes that don't call wp_body_open(), with a static guard against double output
*   Fix - Bust the get_setting() static cache on option changes via a new $flush flag and flush_settings_cache() helper
*   Improvement - Move page preloading and resource hints from Pro to the Growth plan
*   Improvement - Load admin menu icon styles on all admin pages
*   Remove - Drop the deprecated schemeless/protocol-relative URL option and its loader filters
*   Chore - Sync composer.json version and remove the unused zen-settings VCS repository
*   Chore - Update wp-cli/wp-config-transformer from v1.4.2 to v1.4.4
*   Chore - Update Freemius SDK
*   Chore - Update WordPress and WooCommerce tested-up-to compatibility versions

= 3.3.0 - 2026-02-09 =
*   Security - Replace exec() with token_get_all() for wp-config.php syntax validation
*   Security - Sanitize textarea and code field storage with wp_kses_post() to prevent stored XSS
*   Security - Replace @unlink() with $wp_filesystem->delete() for proper error handling
*   Security - Replace direct file_exists/file_get_contents calls with VIP-safe alternatives
*   Security - Add ABSPATH guard to main plugin file
*   Security - Fix plan-gating key mismatch allowing premium settings bypass
*   Security - Escape SVG icon output with wp_kses and dedicated SVG allowlist
*   Security - Remove file_get_contents('php://input') dead code path in AJAX handler
*   Security - Use wp_unslash() on $_POST data in AJAX autosave handler
*   Fix - Core update email suppression now works (strict comparison bug with string vs integer)
*   Fix - Use strict (int) cast comparisons in all agency.php update filters
*   Fix - Add null guards in flashspeed.js to prevent TypeError on free plans
*   Fix - Scope admin menu icon inline styles to plugin pages only
*   Fix - Add null check for get_current_screen() in agency.php
*   Fix - Remove unused FlashSpeed_Admin_Notice_Post_revisions() dead code
*   Performance - Fix schema static cache being bypassed by has_filter() check
*   Performance - Only register Google Maps/Fonts hook when settings are enabled
*   Performance - Replace raw inline script output with wp_add_inline_script() in cache.php
*   VIP - Replace glob() with $wp_filesystem->dirlist() for backup cleanup
*   VIP - Replace error_log() with trigger_error() for debug logging
*   VIP - Replace filemtime() with $wp_filesystem->mtime()
*   VIP - Replace parse_url() with wp_parse_url() in cache.php
*   VIP - Replace directory traversal wp-config lookup with ABSPATH-based check
*   WPCS - Use empty array [] instead of false for wp_enqueue_style/script $deps parameter
*   WPCS - Replace all loose == comparisons with strict === across headers.php, metatags.php, assets.php
*   WPCS - Replace ternary-as-statement with proper if blocks in metatags.php
*   WPCS - Escape all dynamic output in settings renderer (EscapeOutput compliance)
*   WPCS - Escape $cross output in cache.php preconnect/preload
*   WPCS - Add translators comment for i18n placeholder in advanced.php
*   WPCS - Set explicit version string for dummy jQuery registration
*   WPCS - Add phpcs:ignore for NonceVerification on front-end $_GET read in assets.php
*   WPCS - Prefix all global variables with flashspeed_ in config.php and agency.php
*   WPCS - Match plugin header name to readme.txt
*   Compatibility - Declare WooCommerce feature compatibility for Product Editor, Cart/Checkout Blocks, and Product Object Caching
*   Chore - Remove .DS_Store files from distribution

= 3.2.1 - 2025-12-26 =
*   Improvement - Add missing textarea selectors to JavaScript feature gating for Growth and Pro plans
*   Improvement - Add FLASHSPEED_OPTION constant for consistent option name usage
*   Improvement - Use consistent FLASHSPEED_ROOT constant for all file paths
*   Fix - Remove commented dead code for cleaner codebase
*   Code Quality - Comprehensive code cleanup and optimization in main plugin file

= 3.1.0 - 2025-12-03 =
*   Security - Add comprehensive header injection validation with control character filtering
*   Security - Implement Content Security Policy (CSP) validation with directive whitelisting
*   Security - Add ReDoS protection to all regex operations (Google Maps, Google Fonts, Pingback)
*   Security - Add input validation and PCRE limits to prevent regex-based DoS attacks
*   Improvement - Replace output buffering with targeted WordPress filters for better performance
*   Improvement - Remove Google Maps/Fonts via script/style loader filters instead of HTML parsing
*   Improvement - Remove pingback links directly via wp_head action instead of output buffering
*   Improvement - Add static caching to settings schema generation to prevent redundant processing
*   Improvement - Optimize settings retrieval with static caching to reduce database queries
*   Improvement - Add comprehensive error handling for wp-config.php modifications
*   Improvement - Implement automatic backup creation before wp-config.php changes
*   Improvement - Add syntax validation (php -l) before applying wp-config.php modifications
*   Improvement - Add automatic rollback mechanism on wp-config.php modification failure
*   Improvement - Remove duplicate emoji removal code to improve performance
*   Improvement - Add robust output buffer error handling with level checks and shutdown handlers
*   Improvement - Add error logging for regex failures when WP_DEBUG is enabled
*   Improvement - Implement graceful degradation on regex errors
*   Fix - Remove ~128 lines of complex buffer management code
*   Fix - Eliminate buffer overflow and nesting issues
*   Fix - Reduce memory usage by eliminating full HTML output buffering
*   Performance - Significant reduction in CPU usage (no regex on full HTML output)
*   Performance - Reduced memory footprint (no HTML buffering)
*   Performance - Faster execution time (targeted filters vs full page processing)

= 3.0.0 - 2025-11-10 =
*   Improvement - brand-new JSON schema-driven settings UI
*   Improvement - add CodeMirror editor refresh on tab switch
*   Improvement - minify GA4 analytics and Instant Page scripts
*   Improvement - validate delay value and add data-wp-strategy attribute to script tag
*   Improvement - remove duplicate oembed discovery links removal
*   Improvement - code refactoring, prune dead code
*   Improvement - update tom-select vendor files

= 2.1.0 - 2025-09-06 =
*   Update - Zen Settings, FS
*   Fix - translations loading too early
*   Fix - admin notice output to prevent XSS vulnerabilities
*   Improvement - WooCommerce HPOS compatibility
*   Improvement - favicon handling
*   Improvement - agency features list
*   Improvement - preconnect/preload link tag generation
*   Improvement - tracking code sanitization
*   Improvement - instant page script loading
*   Improvement - wp-config.php file permission checks

= 2.0.6 - 2025-06-16 =
*   Update - Zen Settings v1.0.7

= 2.0.5 - 2025-06-15 =
*   Enhancement - optimize translations loading timing
*   Enhancement - tested compatibility with WordPress 6.8.1 and WooCommerce 9.9
*   Update - FS
*   Update - Zen Settings v1.0.6

= 2.0.4 - 2025-06-15 =
*   Enhancement - improve the sidebar's mobile styles
*   Update - FS
*   Update - Zen Settings v1.0.5

= 2.0.3 - 2023-09-03 =
*   Add - nonce and hidden fields
*   Add - agency options
*   Add - WooCommerce HPOS compatibility
*   Enhancement - improve the sidebar's mobile styles
*   Enhancement - only save constants on our settings page
*   Enhancement - only display the admin notice on our settings page
*   Enhancement - make the notice dismissable
*   Update - FS
*   Update - Zen Settings v1.0.3

= 2.0.2 - 2023-07-04 =
*   Fix - additional check to ensure wp-config.php is writable
*   Fix - php_cs fixes
*   Add - custom admin notice

= 2.0.1 - 2023-07-03 =
*   New - reword readme
*   Enhancement - lighter CSS file, improvements 
*   Enhancement - ensure plugin assets are only loaded on our settings page
*   Enhancement - correctly handles promobox
*   Enhancement - scaffold Agency options
*   Update - Zen Settings v1.0.2

= 2.0.0 - 2023-06-27 =
*   New - complete plugin rewrite for much improved performance
*   New - brand-new UI
*   New - add more options and field types
*   Enhancement - refactor and improve fields functions
*   Enhancement - more escaping and sanitizing in the admin functions
*   Enhancement - many speed improvements over version 1.x
*   Update - Instant Page
*   Update - FS

= 1.1.2 - 2023-05-29 =
*   Enhancement - refactor and improve fields functions
*   Enhancement - more escaping and sanitizing in the admin functions
*   New - add some more fields

= 1.1.1 - 2023-04-27 =
*   Enhancement - group all jQuery options together
*   Enhancement - namespace admin fields to reduce conflicts with other plugins
*   Fix - solve warning in Permission Policy module
*   Fix - order assets dependencies in a consistent order

= 1.1.0 - 2023-04-12 =
*   Enhancement - brand-new user interface
*   Enhancement - improve code logic for security headers to ensure they are not output twice
*   Enhancement - add help text to textarea options
*   Enhancement - use prepare() for queries
*   Enhancement - only load assets for our plugin page
*   Update - upgrade instant.page
*   Update - POT file and translations
*   Update - tested comptability with WP 6.2.0
*   Update - FS library

= 1.0.7 – 2022-11-17
*   Enhancement – improve code logic for security headers to ensure they are not output twice.
*   Enhancement – add help text to options
*   Enhancement – use prepare() for queries
*   Update – upgrade instant.page
*   Update – POT file and translations
*   Update – tested comptability with WP 6.1.1
*   Update – FS library

= 1.0.6 - 2022-09-01 =
*   Fix - ensure menu icon displays correctly in latest Chrome versions
*   Update - FS library for PHP8

= 1.0.5 - 2022-07-03 =
*   Enhancement - more consistent variable names
*   Enhancement - bump WordPress and PHP version requirements
*   Enhancement - cleaner URLs for preload script
*   Add - Expect-CT header

= 1.0.4.3 - 2022-07-01 =
*   Enhancement - additional escaping
*   Fix - correct file path

= 1.0.3 - 2022-06-30 =
*   Enhancement - escaping
*   Enhancement - change plugin name and slug

= 1.0.2 - 2022-06-29 =
*   Enhancement - prefix all options and function names
*   Enhancement - add missing doc blocks
*   Enhancement - change textdomain
*   Update - readme.txt

= 1.0.1 - 2022-06-27 =
*   First public release