You shouldn’t pass your nonce to your JavaScript to verify it, since client side scripts can be easily manipulated. Instead, you should get the nonce from your front-end content, and then pass it to server to verify it.
After verification, you should decide to output content by server, not by your JavaScript file.
Something like this:
if ( is_user_logged_in() ) {
if ( wp_verify_nonce($_REQUEST['X-WP-Nonce'], 'wp_rest') {
// Nonce is correct!
} else {
// Don't send the data, it's a trap!
}
}
As a side note, REST API offers its own method to fetch the passed queries. So, you can get it this way in your callback function:
function foobar( \WP_REST_Request $request ) {
$nonce = $request['X-WP-Nonce'];
}
Related Posts:
- Can’t GET draft posts via REST API from headless frontend
- WP REST API – Nonce passes wp_verify_nonce even after logout
- Rest API: wp_verify_nonce() fails despite receiving correct nonce value
- Log in user using WordPress REST API
- wp_nonce vs jwt
- Register rest field authentication with REST API
- How to: Make JWT-authenticated requests to the WordPress API
- WordPress Rest API: How do we validate with our custom API key?
- WordPress REST API call generates nonce twice on every call
- How to Authenticate WP REST API with JWT Authentication using Fetch API
- authentication issue with rest api – rest_cannot_create
- Can I authenticate with both WooCommerce consumer key and JWT?
- How to login to WordPress site using basic authentication HTTP headers?
- Can we access the REST request parameters from within the permission_callback to enforce a 401 by returning false?
- WordPress REST API “rest_authentication_errors” doesn’t work external queries?
- Create Session with JWT
- Full page NGINX (or Cloudflare) caching and WordPress nonces
- WordPress REST API, Expired Nonce from Cache results in 403 forbidden
- Passing a borrowed nonce through Postman fails
- how to send Ajax request in wordpress backend
- permission_callback has no effect
- WP REST API GET Requests require authentication
- current_user_can(‘administrator’) returns false when I’m logged in
- Authenticating with REST API
- Make authorization mandatory on custom routes
- How to force JWT auth for default GET endpoints of WordPress rest api?
- REST API: best place to set current user for JWT auth?
- WordPress + REST API v2 and private pages Load by slug
- REST API authentication for a plugin
- PHP: authenticate for a REST request?
- Rest API basic auth not working
- Authenticate current user to REST API
- Getting 401 from ajax using an application password
- How to connect android app with WordPress website?
- WordPress REST API calls that depend on the WordPress User
- Backbone with custom rest endpoints
- WordPress HTTP API NTLM Authentication
- Advanced Access Manager: RESTful endpoint to refresh token
- Best Authetication between REST API and Mobile App
- How to verify which WordPress user requested the API in ASP .NET Core?
- Secure WordPress API, how?
- register/login api
- How can I secure my custom rest api endpoint or add under a already existing rest group
- REST API Integration without user account?
- WP REST API with Basic Auth at target website
- Cant POST with REST API on WordPress
- REST API – Authentication/Logon security
- Rest API nonce is being cached
- custom REST endpoints and application passwords
- wordpress rest api authentication failed
- How to add additional http header to a wp_error rest response
- Nonce validation in REST API
- Nonce retrieved from the REST API is invalid and different from nonce generated in wp_localize_script
- Extend WordPress (4.x) session and nonce
- Getting user meta data from WP REST API
- Verify nonce in REST API?
- how to authenticate for the REST API from a plugin and from command line
- Increase per_page limit in REST API
- How to build a plugin that supports authenticated POST requests to the REST API from external servers?
- Can’t send emails through REST API
- Adding post fields in wp-json/wp/v2/search
- Unable to get the info of the user which doesn’t have created any post via REST API
- WordPress Gutenberg get page template value when post updated?
- How to update custom meta fields with rest api?
- Rest API invalid nonce with Backbone Client
- Rest API and Custom Fields
- WP Rest API: Get User by Email
- Gutenberg Custom Block Getting All Posts
- Cannot get ‘sanitize_callback’ to work for rest parameters
- Can we assume that /wp-json/ will always be /wp-json/ under any circumstances when creating custom REST routes?
- How to hook into “register_rest_field” to modify the behavior of a custom field?
- Get all PDF files from page with WordPress API
- How to add / embed an author into REST data from a custom post type?
- How to enable the view of revisions of post in WordPress Api for custom post type?
- Problem on creating custom endpoints for REST
- Rest API code to get ID of current user not working: get_current_user_id() gives 0
- New user signup via REST API
- Ho to style post content for WordPress API?
- WP REST API can’t set post tags
- WP API post__not_in is not working
- WordPress REST API V2: how to get list of all posts?
- How to get data from /wp-json/wp/v2/users/me
- WordPress REST API parameters are not affecting a response
- Update meta_value in wp_postmeta using API
- WordPress plugin with CORS
- “Error: cURL error 60: SSL certificate problem: certificate has expired” when create product in WooCommerce via REST API
- How to use WordPress REST api to login a user?
- Wrong encoding of dynamic block properties problem when loggen in as editor
- Need wp rest api for featured video post
- REST api header link href
- WordPress & React Native
- update meta data (like view counter) by rest-api
- Rest API hook ‘rest_insert_post’ not returning request object
- How Can I keep password protected posts in the json requests but not on frontend queries?
- Script tag in string in wordpress rest api body to create post
- Securing REST API wp-json/wp/v2/users endpoint
- Customizer Changeset, Sidebar and Rest API Custom Endpoints
- Isn’t rest_do_request() filtered by pre_get_posts() filter?
- WordPress REST API – Create post not working with 401 response but list posts working
- WordPress Rest Api search limited to 10 results