Is it Ok to restrict Access-Control-Allow-Origin for /wp-json requests?

First of all, this is intentional behaviour, as relayed in a Slack discussion described in this ticket (this has likely been discussed in other places, but that’s the first I found):

tl;dr: CORS is built for CSRF protection, but WordPress already has a
system for that (nonces), so we “disable” CORS as it gets in the way
of alternative authentication schemes

it’s a design decision to expose data from the REST API to all
origins; you should be able to override in plugins easily

So it should be noted that it’s perfectly normal for wp-json/ to be accessible from all origins, and it’s not inherently insecure.

As for your questions:

Is it okay to set restrict the origin in this way?

By modifying your WordPress install itself? Absolutely not. You should never edit WordPress core files. Any changes you make will be overwritten any time WordPress updates, forcing you to make the change again every time, possibly leading you into the very bad practice of maintaining your own fork of WordPress.

If you want to modify core WordPress behaviour yourself, you need to create a plugin, and use the Hooks API to make your changes by removing and replacing actions, or filtering values.

In this case, you’ll notice that the header is sent in the rest_send_cors_headers() function. This function is run by WordPress by hooking it with this line:

add_filter( 'rest_pre_serve_request', 'rest_send_cors_headers' );

Which, according to inline documentation is inside a function that is:

Attached to the {@see 'rest_api_init'} action to make testing and disabling these filters easier.

So, if you want to modify rest_send_cors_headers() what you need to to is create a plugin, and inside that plugin copy the rest_send_cors_headers() function to a new function with a different name. Then you want to replace WordPress’ version with yours:

add_action(
    'rest_api_init',
    function() {
        remove_filter( 'rest_pre_serve_request', 'rest_send_cors_headers' );
        add_filter( 'rest_pre_serve_request', 'my_new_rest_send_cors_headers' );
    }
);

Where my_new_rest_send_cors_headers() is the name of your new modified version of the function.

What might be the consequences of doing it? Maybe plugins that rely on a header like access-control-allow-origin: * could stop working? Are there such plugins?

Most plugins are unlikely to have issues, as they will be making the requests from the same origin, however you will have issues with two types of plugins that I can think of:

  1. Plugins that work with an external service. That service may want to connect to your website via the REST API, and will be unable to do so if you are only allowing requests from one origin.
  2. Plugins that make requests to your site’s REST API from the server, using curl, or the WordPress HTTP API, without setting the Origin header to your site’s URL. This is pretty unusual and rare, but not impossible.

That last point brings up an important issue: Setting Access-Control-Allow-Origin is not going to protect your data. It is trivial for a server to spoof the origin and make a request to the API and get that data. This header is not an authentication security measure, so if you want to lock down your API from the outside world, this header is not the way to do it.

Related Posts:

  1. How to force JWT auth for default GET endpoints of WordPress rest api?
  2. wp_nonce vs jwt
  3. Is my WordPress site handing out sensitive information/misconfigured?
  4. Securing REST API wp-json/wp/v2/users endpoint
  5. WordPress 4.7.1 REST API still exposing users
  6. How to: Make JWT-authenticated requests to the WordPress API
  7. Why is my custom API endpoint not working?
  8. WordPress REST API validation
  9. Are there server performance benefits to fetching only specific fields when querying the REST API?
  10. How to define a query parameter with REST API?
  11. WordPress Rest API: How do we validate with our custom API key?
  12. Adding WordPress API Endpoint With Multiple Parameters
  13. Basic auth WordPress REST API dilemma
  14. authentication issue with rest api – rest_cannot_create
  15. Match REST API post output from custom endpoint
  16. How to change user avatar using REST API?
  17. rest api authentication
  18. Build on same WordPress or different install?
  19. Testing custom API endpoint with class dependency
  20. How to properly add custom entities in Gutenberg
  21. REST API custom endpoint without authentication for POST method?
  22. CORS & Remote access to WP via RestAPI
  23. Create Session with JWT
  24. Not all featured image sizes available in Rest API
  25. WP API ignores filter parameter
  26. 403 Forbidden with gutenberg
  27. Detect if REST API is running
  28. WordPress REST API – Modify JSON before importing
  29. Using pre_get_posts, how to target the REST API, only?
  30. Save/update post_meta with Gutenberg from the panel
  31. Set featured image using URL with wp rest api
  32. How to block all REST API endpoint except which I wrote custom?
  33. Authentication with internal WP_REST_Request and rest_do_request()
  34. How to use REST API to send user metadata?
  35. Cannot DIsplay a Snackbar Notice on Button Click – Notice is undefined
  36. Use the backbone.js client to save custom post type meta
  37. Override WordPress POST REST API
  38. Custom Post Type and Custom REST API Endpoint result in Gutenberg editor not working
  39. rest_sanitize_value_from_schema doesn’t sanitize string
  40. Erratic OAuth 1.0 Signature Mismatch Errors
  41. Creating a custom endpoint for rest, I see the endpoint exists in the wp-json, but the request is returning 404
  42. WordPress + Vue — Single page app giving me 404s when I use query params
  43. Authentication with the Rest API when using an External Application
  44. No ‘Access-Control-Allow-Origin’ when call rest API
  45. WordPress Rest API custom endpoint for RSS feed
  46. How to add a custom REST field to limit data when fetching?
  47. WordPress JSON data to and from database to be shown on rest point
  48. “No Access-Control-Allow-Origin header is present” even though it is in the entry file
  49. How to Get Featured Image from REST API?
  50. Allow “wp-admin” edit access through headless WP web application
  51. REST API authentication for a plugin
  52. rest api request including meta_query filter
  53. Validate rest-api call on create
  54. Error invalid parameters with REST API
  55. How to get featured image in WP rest api
  56. WordPress REST API rest_comment_invalid_author Sorry, you are not allowed to edit ‘author’ for comments
  57. How to delete user using rest api without reassigning
  58. How to send the body in wp_remote_post as “raw”?
  59. Accessing private posts through REST API, same code that works in remote doesn’t in local
  60. Custom API plugin to execute 3rd party API to retrieve data
  61. REST API and filtering by meta value
  62. Rest API: trouble receiving response through script (browser and Postman display correctly)
  63. Advanced Access Manager: RESTful endpoint to refresh token
  64. Custom Endpoints not working
  65. Is there a way I can fetch the WordPress Developer Code References with an API?
  66. Pull in ALL posts from the last two weeks using Rest API
  67. 403 error when publishing a post in wordpress. Error => Publishing failed. The response is not a valid JSON response
  68. Error message: Response is not a valid JSON response
  69. How to use query parameters, as “_fields”, to filter data inside an array in the REST API?
  70. WordPress server banning IP
  71. Cannot use WordPress Application Passwords: “code”: “rest_no_route” “status”:404 for /wp-json/wp/v2/users/me/application-passwords
  72. Pass multiple tags slug to rest API
  73. Return a WP_REST_Response from an inner function (and not from the root callback)
  74. register_rest_route with method POST but in wp-json/ is showing GET
  75. Rest Api fetching only one random post
  76. WP REST API returns empty posts despite entries in wp_posts
  77. Accessing Custom REST endpoint with rest_do_request()
  78. The REST API encountered an error in wordpress?
  79. Get wordpress post with featured image, category and tag from WordPress API
  80. Do something when publish a post in Gutenberg with hook rest_after_insert_post
  81. Uploading picture via REST API
  82. How to modify the HTML output of Gutenberg block? (Youtube)
  83. Can I use REST API if the site is protected with .htpasswd
  84. REST API and Loopback error
  85. Rest API: Register and Login errors aren’t specific
  86. How can I secure my custom rest api endpoint or add under a already existing rest group
  87. Autotrader API Integration
  88. WordPress RESTAPI – Restrict unknown
  89. WordPress Rest API Error 502
  90. Fix Characters WordPress Ionic App
  91. Accessing secure endpoint with X-WP-Nonce?
  92. Return all custom taxonomy terms for post in REST API v2? Currently limited to 10 terms
  93. Can we use website data which is having wp rest api plugin?
  94. how can I add an URL parameter to a rest route using register_rest_route()?
  95. Is it possible to bulk update a table using WP Rest API?
  96. Rest api request throttling
  97. Script tag in string in wordpress rest api body to create post
  98. Customizer Changeset, Sidebar and Rest API Custom Endpoints
  99. WordPress REST API won’t allow me to filter by author ID when called internally, works externally in Postman
  100. Rest API is running, but /wp-json/wp/v2/ shows only old dates