Ajax Security regarding user priviliges and nonces

The note is about the use of is_admin() to determine if a user has privileges to do something, because in every other context except admin-ajax.php, that will only be true for a logged in user. You can still use the API to determine if a user is logged in and who they are, and as long as you do that, and operate on that data, it is as safe as any other type of request.

Nonces can increase security by enforcing intent to invoke an action. Links that trigger AJAX requests can be forged by others, and if someone gets a logged in user to unknowingly click one of those links, it can invoke an action the user did not intend to. Nonces aim to prevent this by adding a unique identifier that is only good for a specific action, and expires. By checking that nonce, you can be more confident that the user intended to invoke that action and the request is not forged.

Related Posts:

  1. Nonces and Cache
  2. Is it safe to assume that a nonce may be validated more than once?
  3. Multiple ajax nonce requests
  4. Nonces, AJAX, script variables & security in WordPress
  5. How do I check if AJAX nonces are implemented correctly?
  6. WP Admin AJAX Security – using POST to include a relative URL
  7. ajax nonce verification failing
  8. Why does check_ajax_referer give a 403 error on https websites?
  9. Using nonce when loading posts with AJAX
  10. Should wordpress nonce be placed in html form or in javascript file
  11. How to get a unique nonce for each Ajax request?
  12. WordPress Ajax Data Security
  13. Nonces can be reused multiple times? Bug / Security issue?
  14. Using Nonces for AJAX that only retrieves data
  15. How to verify nonce from Bulk/Quick Edit in save_post?
  16. How to add WordPress nonces to ajax request
  17. Security – Ajax and Nonce use [closed]
  18. Nonces and Ajax request to REST API and verification
  19. Ajax function returns -1
  20. Serving nonces through AJAX is not refreshing nonce, returning 403 error
  21. wp_verify_nonce always returns false when logged in as admin
  22. ajax and nonce when JavaScript is in a seperate file
  23. wp_verify_nonce doesn’t return true on server when it matches the nonce
  24. AJAX requests broken due to HTTPS for wp-admin
  25. Why does WordPress Heartbeat login not refresh the nonces?
  26. wp-admin AJAX with Fetch API is done without user
  27. How to check an ajax nonce in PHP
  28. Can a wp_nonce created from domain 1 to be verified on domain 2?
  29. Is it safe to manually sign a user in using AJAX?
  30. how to send Ajax request in wordpress backend
  31. Identical wp_rest nonce returned from rest_api
  32. wp_create_nonce() in REST API makes user->ID zero
  33. SSO autologin WordPress + Ajax
  34. Should I check for privileges before hooking into `wp_ajax_$handle` or after?
  35. Nonce fails on ajax save
  36. Is it secure to use admin-ajax.php in front?
  37. Unable to successfully verify nonce
  38. Cache plugins and ajax nonce verification
  39. Nonce doesn’t validate in nopriv call
  40. WordPress is creating nonce as a logged in user but verifying it incorrectly
  41. javascript ajax and nonce
  42. How to check nonce lifetime value of plugins?
  43. 200 return code on ‘POST /wp-admin/admin-ajax.php’ while NOT logged in
  44. Custom RPC end-point security best pratice?
  45. How to prevent my external API call from being called by anyone but me (my site)
  46. wp_verify_nonce not working on the mobile device
  47. How do I mitigate replay attacks when talking about actions that shouldn’t happen twice?
  48. check_ajax_reffer not working when logged
  49. How to safely pass post_id and user_id via AJAX to the backend (prevent user from changing it via JS)?
  50. AJAX form not working, still reloads on submit
  51. How to use nonces for frontend AJAX voting if the page gets cached?
  52. Can I make an ajax response cross-domain?
  53. WordPress wp_localize_script nonce and ajax URL
  54. Using Backbone with the WordPress AJAX API
  55. How do I hook an Ajax request into a PHP callback?
  56. Gutenberg – how to correctly perform ajax request on backend
  57. get_template_part execute with ajax
  58. How declare Ajax functions ussing SHORTINIT
  59. Load custom formatted comment with AJAX: reply link isn’t rendered?
  60. Is there a way to optimize function that is used for returning data in an ajax-call?
  61. WP REST API route request explain
  62. Check if username exist with AJAX
  63. WooCommerce: Translation lost on AJAX call in Checkout page [closed]
  64. Async Loading of Custom Posts
  65. Call javascript function when category was added via ajax
  66. How to add WP API and JS featured image attachment
  67. Using AJAX with Forms
  68. Can’t publish post using ajax
  69. Ajax in plugin settings page returns 400 Bad Request
  70. Customizer AJAX using buttons
  71. Can’t trigger an AJAX function with a submit button in the dashboard
  72. AJAX Call is Only Returning 100 Results from Query
  73. How to make custom button link on the WordPress Admin Bar run by AJAX
  74. Ways to load admin-ajax faster without initializing all plugins?
  75. is_single() conditional check inside ajax php function
  76. Why do Metabox use Nonces?
  77. Output multi-steps form results in same page
  78. Full Front End, AJAX comment system and comment reply script
  79. Ajax not working for certain user roles
  80. How to perform a frontend HTTP call with AJAX when plugin save the new settings?
  81. Problem loading ajax in the header
  82. How to detect if the ajax_query_attachments_args was triggered to set the featured image?
  83. WordPress ajax response save into database
  84. Automatically refresh div id every 15 seconds with code snippet from .php file
  85. Zip Files from custom fields
  86. Prevent AJAX caching from plugin
  87. If I leave out the wp_die() in the testiframe function I get the ‘0’ appended to my output. If I put it in, the page w/ iframe linked to it crashes
  88. How to run an ajax call in elementor editor
  89. ERROR while passing data from JS to PHP via AJAX
  90. 400 Bad Request – Post to admin-ajax.php
  91. ajax load more instead of pagination
  92. Ajax call works for logged in users and returns “Bad Request” for guests [duplicate]
  93. On form submitting, admin-ajax.php shows status as pending
  94. Should I edit a user meta field with PUT, PATCH, or POST and WP::Editable
  95. Enqueue dynamically generated javascript
  96. First time doing Ajax with WP, how to do it?
  97. ajax page template
  98. Translating wordpress foreach to ajax
  99. AJAX loading with custom parameters
  100. randomly get 400 error while user is logged in wp_ajax