You shouldn’t pass your nonce to your JavaScript to verify it, since client side scripts can be easily manipulated. Instead, you should get the nonce from your front-end content, and then pass it to server to verify it.
After verification, you should decide to output content by server, not by your JavaScript file.
Something like this:
if ( is_user_logged_in() ) {
if ( wp_verify_nonce($_REQUEST['X-WP-Nonce'], 'wp_rest') {
// Nonce is correct!
} else {
// Don't send the data, it's a trap!
}
}
As a side note, REST API offers its own method to fetch the passed queries. So, you can get it this way in your callback function:
function foobar( \WP_REST_Request $request ) {
$nonce = $request['X-WP-Nonce'];
}
Related Posts:
- Can’t GET draft posts via REST API from headless frontend
- WP REST API – Nonce passes wp_verify_nonce even after logout
- Rest API: wp_verify_nonce() fails despite receiving correct nonce value
- Log in user using WordPress REST API
- wp_nonce vs jwt
- Register rest field authentication with REST API
- How to: Make JWT-authenticated requests to the WordPress API
- WordPress Rest API: How do we validate with our custom API key?
- WordPress REST API call generates nonce twice on every call
- How to Authenticate WP REST API with JWT Authentication using Fetch API
- authentication issue with rest api – rest_cannot_create
- Can I authenticate with both WooCommerce consumer key and JWT?
- How to login to WordPress site using basic authentication HTTP headers?
- Can we access the REST request parameters from within the permission_callback to enforce a 401 by returning false?
- WordPress REST API “rest_authentication_errors” doesn’t work external queries?
- Create Session with JWT
- Full page NGINX (or Cloudflare) caching and WordPress nonces
- WordPress REST API, Expired Nonce from Cache results in 403 forbidden
- Passing a borrowed nonce through Postman fails
- how to send Ajax request in wordpress backend
- permission_callback has no effect
- WP REST API GET Requests require authentication
- current_user_can(‘administrator’) returns false when I’m logged in
- Authenticating with REST API
- Make authorization mandatory on custom routes
- How to force JWT auth for default GET endpoints of WordPress rest api?
- REST API: best place to set current user for JWT auth?
- WordPress + REST API v2 and private pages Load by slug
- REST API authentication for a plugin
- PHP: authenticate for a REST request?
- Rest API basic auth not working
- Authenticate current user to REST API
- Getting 401 from ajax using an application password
- How to connect android app with WordPress website?
- WordPress REST API calls that depend on the WordPress User
- Backbone with custom rest endpoints
- WordPress HTTP API NTLM Authentication
- Advanced Access Manager: RESTful endpoint to refresh token
- Best Authetication between REST API and Mobile App
- How to verify which WordPress user requested the API in ASP .NET Core?
- Secure WordPress API, how?
- register/login api
- How can I secure my custom rest api endpoint or add under a already existing rest group
- REST API Integration without user account?
- WP REST API with Basic Auth at target website
- Cant POST with REST API on WordPress
- REST API – Authentication/Logon security
- Rest API nonce is being cached
- custom REST endpoints and application passwords
- wordpress rest api authentication failed
- Does something like is_rest() exist
- WP REST API — How to change HTTP Response status code?
- Search WP API using the post title
- Understanding SHORTINIT with WordPress 5
- Reduce nonce lifespan
- Filter post_content before loading in Gutenberg editor
- Trying to get an api request getting error 404
- WP 5.5 Fatal Error – get_rest_controller() in rest-api.php
- Display post title from WordPress excluding a string via API
- WP_REMOTE_POST Requests are being blocked by API provider [closed]
- wp_get_object_terms() returns invalid taxonomy inside rest_api_init hook
- Why the Path is different with the one coded in rest
- how to avoid timeouts with remote API requests?
- rest_api_init is run on every rest call to endpoint
- Are nonces in WP REST API optional by default?
- WP-REST create user with custom meta
- receive a custom parameter with rest api
- If I use WordPress REST API V2 and someone makes an app using it. Will my site count the posts views from the APP? And if not, then how?
- How to store and return json in a (custom) post meta field
- Sorry, you are not allowed to list users
- Get a remote post ID via API given URL
- Core function to check if a rest namespace exists
- How to change the date and time in REST API for comments?
- Rest API V2 custom post type. I only need the title and link
- Retriving all users with REST API not working
- Is there a way to download only the Rest API part of WordPress?
- Custom WP API endpoint NULL body data
- What is an endpoint for custom post type comments in REST API?
- How would I know if my system using REST api or not?
- How to display relations via wordpress Rest API
- WP Rest_API- Post request for images returns empty
- DELETE request using WP REST API
- Got Blank issue for get data from /wp-json/v2/post
- WP API file_get_contents return TTP request failed! HTTP/1.1 401 Unauthorized
- Not able to delete media by REST API
- Need to get user data via API
- REST API retrieving posts from www.sitename.com/category/news/ instead of just just from www.sitename.com
- REST API get featured image source for custom post type
- Paid membership Pro Rest API
- wp_query json ouput
- GET request for media files in WP REST API 2 results in an empty array
- Fatal error: Call to undefined function register_rest_route()
- API wp-json/wp/v2/pages/ returns a different result if page is specified
- Update post / page using API + python
- Social login authentication via wordpress rest api
- Calling a Rest API with parameters on button Click
- WordPress json – How to use the content rendered from json
- WordPress REST API function not calling from external site
- Issue with API after 6.2 update
- Verify user login and password over api