apiFetch security

This all works perfectly, but it seems too easy. Should I be passing a nonce along somewhere?

No

It seems like apiFetch has some middlewares that include a nonce – is this all done for us by default?

Yes.

If your endpoint requires a nonce and apiFetch did not provide it, then apiFetch would not work. Authenticated endpoints using cookie based auth require nonces.

Remember, the REST API authentication and security is server side. apiFetch is client side. apiFetch cannot magically bypass the server side checks unless you deliberately added such a bypass. If you had, you would know about it and you would not have asked this question, as that would require a considerable amount of effort and intention to do.

There are security issues here, but they are unrelated to apiFetch. The use of apiFetch has not reduced your security.

Related Posts:

  1. Does something like is_rest() exist
  2. REST API purpose?
  3. Get post count in wp rest API v2 and get all categories
  4. WP REST API — How to change HTTP Response status code?
  5. wp_get_current_user() function not working in Rest API callback function
  6. Search WP API using the post title
  7. Displaying a page built with Elementor using the REST API [closed]
  8. Understanding SHORTINIT with WordPress 5
  9. Does pre_get_posts affect REST API responses?
  10. Get blog title with REST v2
  11. Is it possible to nest the JSON result of WordPress REST API?
  12. Filter post_content before loading in Gutenberg editor
  13. Trying to get an api request getting error 404
  14. rest_post_query on multiple post types?
  15. Wp Rest Api Custom Endpoint for page subpages
  16. How should an old API version be deprecated gracefully?
  17. Full page NGINX (or Cloudflare) caching and WordPress nonces
  18. How add meta fields to a user with the wp-api?
  19. WordPress Rest API response
  20. WP 5.5 Fatal Error – get_rest_controller() in rest-api.php
  21. REST API GET users
  22. Why does AWStats show /wp-json* as Viewed URLs
  23. Display post title from WordPress excluding a string via API
  24. WP_REMOTE_POST Requests are being blocked by API provider [closed]
  25. wp_get_object_terms() returns invalid taxonomy inside rest_api_init hook
  26. Updating link on page via REST api
  27. Authenticating with REST API
  28. Make authorization mandatory on custom routes
  29. How to order WordPress Rest API data
  30. WP Rest API – How to convert embedded to json object in Java [closed]
  31. Why the Path is different with the one coded in rest
  32. WP REST API – Nonce passes wp_verify_nonce even after logout
  33. wp-cli command throws error : “SSL routines:tls_process_server_certificate:certificate verify failed” while querying https website
  34. Setting maintenance mode via REST API
  35. How to receive data by http POST request
  36. how to avoid timeouts with remote API requests?
  37. rest_api_init is run on every rest call to endpoint
  38. Notify Jenkins of new post on WordPress
  39. WP-REST create user with custom meta
  40. receive a custom parameter with rest api
  41. If I use WordPress REST API V2 and someone makes an app using it. Will my site count the posts views from the APP? And if not, then how?
  42. How to store and return json in a (custom) post meta field
  43. Sorry, you are not allowed to list users
  44. Get a remote post ID via API given URL
  45. Core function to check if a rest namespace exists
  46. How to change the date and time in REST API for comments?
  47. Rest API V2 custom post type. I only need the title and link
  48. Retriving all users with REST API not working
  49. Is there a way to download only the Rest API part of WordPress?
  50. Custom WP API endpoint NULL body data
  51. WordPress HTTP API NTLM Authentication
  52. What is an endpoint for custom post type comments in REST API?
  53. How would I know if my system using REST api or not?
  54. WordPress custom REST API: How to validate input data by many context?
  55. Authenticate rest API except for contact-form-7
  56. How to access wordpress menu & submenu item through the REST API?
  57. How to display relations via wordpress Rest API
  58. WordPress Rest API- Allow creation of users with identical email addresses when only using rest api
  59. Inspecting WP_Rest_Request
  60. WP Rest_API- Post request for images returns empty
  61. WordPress API fields modification
  62. DELETE request using WP REST API
  63. wp_insert_post function and automatic trashing posts once is no longer in API
  64. Fetching WordPress Private Posts, Public Posts Via Default REST API Endpoint
  65. How to deliver webp format of images to WP REST API
  66. register/login api
  67. WP Rest API in Android studio does not show Images
  68. Got Blank issue for get data from /wp-json/v2/post
  69. How do i POST to WordPress rest API from the same domain?
  70. WP API file_get_contents return TTP request failed! HTTP/1.1 401 Unauthorized
  71. WordPress improve REST API – SHORTINIT not work
  72. Not able to delete media by REST API
  73. Update membership level via API request if using simple membership plugin
  74. Need to get user data via API
  75. REST API retrieving posts from www.sitename.com/category/news/ instead of just just from www.sitename.com
  76. REST API get featured image source for custom post type
  77. Custom rest API route not passing data along
  78. Rest API encoding of double quotes
  79. view counter update in WordPress REST api HTTP get
  80. How to filter wp-json/wp/v2/users response on custom metas?
  81. Paid membership Pro Rest API
  82. Trouble Commenting via the WP REST API using nonces
  83. wp_query json ouput
  84. GET request for media files in WP REST API 2 results in an empty array
  85. Fatal error: Call to undefined function register_rest_route()
  86. WordPress REST API not displaying all information
  87. Create a new page on front page for logged in user
  88. API wp-json/wp/v2/pages/ returns a different result if page is specified
  89. Getting current core version from an WordPress installation
  90. Get custom data from the user REST API endpoint
  91. Custom rest api endpoint response json problem
  92. How to block external access to register_rest_route callback?
  93. Filter output of posts (Rest API)
  94. JS WordPress API fetch no response headers
  95. WordPress Application Passwords not authorizing
  96. Rest API nonce is being cached
  97. WordPress custom endpoint returns Security violated
  98. custom REST endpoints and application passwords
  99. Hide custom posts from certain taxonomy in rest api
  100. Creating Application Password using REST API results in 401 regardless of JWT token