The API handles the nonce for the form part because you’re using the settings_fields
call, which outputs the *-options nonce, and you’re passing the data to the options.php
file for saving, which checks that nonce for you before saving the settings. This part the Settings API does indeed do for you.
However, your tab code is not in that form. It’s just links. The links have no nonces on them, and the code you have to use the data from the GET parts don’t do any nonce checking.
Now, technically this is okay as long as you’re not saving any data here. The purpose of a nonce is to verify intent when submitting data, and if you’re not submitting any data that gets saved or used in any real way, then you don’t need to verify that intent. The only thing your tab selection does here is to change what fields are displayed on the page.
You might want to consider eliminating the tabs entirely and displaying the whole form, with all settings, on the same page. If you want organization in tabbed form, you’d be better off with javascript or CSS to decorate the page. Also consider accessibility, in that having the form as-a-whole might be better for users who want to make all the changes at once rather than have to configure things on multiple pages or navigate to them with links at the top of the page.