REST API – CSRF | WordPress.org

Alan Fuller
(@alanfuller)

3 years, 8 months ago
Hi,

I want to build an endpoint but restrict the front end to the originating site, because the back end is accessing an ‘expensive’ API.

I read this https://developer.wordpress.org/rest-api/frequently-asked-questions/#why-is-the-rest-api-not-verifying-the-incoming-origin-header-does-this-expose-my-site-to-csrf-attacks

Can anyone elaborate on

but if you wish to prevent your site from being accessed from unknown origins you may unhook the default rest_send_cors_headers function from the rest_pre_serve_request filter hook, then hook in your own function to that same filter to specify stricter CORS headers.

TIA
- This topic was modified 3 years, 8 months ago by Alan Fuller. Reason: wrong url
- This topic was modified 3 years, 8 months ago by Alan Fuller. Reason: right url to doc
- This topic was modified 3 years, 8 months ago by Steven Stern (sterndata).

Viewing 3 replies - 1 through 3 (of 3 total)

Vijay Hardaha
(@vijayhardaha)

3 years, 8 months ago

Sorry, I might be wrong to understand your question.
but those just state, that if you want to allow only a specific origin then you’ll have to unhook the default cors header function then add your custom cors header function in the same hook.

Here is some ref. I found for example
https://gist.github.com/miya0001/d6508b9ba52df5aedc78fca186ff6088
https://github.com/WP-API/WP-API/issues/2844#issuecomment-275930957
https://legacy.joshpress.net/access-control-headers-for-the-wordpress-rest-api/
https://developer.wordpress.org/reference/functions/rest_send_cors_headers/
Thread Starter Alan Fuller
(@alanfuller)

3 years, 8 months ago
Hi Vijay,

Really my question now is in two parts – if I use
```
remove_filter( 'rest_pre_serve_request', 'rest_send_cors_headers' );
	add_filter( 'rest_pre_serve_request', function( $value ) {
```
Then it looks lik ethat applies to all WP REST API end points. Is that right – as I only want it to apply to my custom end point.

This article https://legacy.joshpress.net/access-control-headers-for-the-wordpress-rest-api/

says

That said, keep in mind that the class WP_REST_Response, which should be used for all responses, also gives you the ability to add headers. Any headers unique to a request should be set there.

But now i’m thinking that setting headers is not the right approach anyway and I should uses nonces from the from end to back end to restrict access to the end point – what do you think?
Vijay Hardaha
(@vijayhardaha)

3 years, 8 months ago

You can go with nonce or maybe using $request->get_route() you can compare the route then apply custom headers. but you’ll have to remove the existing hook then in the new hook functions, will have to take 3 args then compare the route, then if matched then set your new headers otherwise set the original headers again from the existing function that we unhooked before.

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘REST API – CSRF’ is closed to new replies.

REST API – CSRF

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics