• Hi,

    I’m building a React-powered web app using the WordPress REST API and GatsbyJS. The client is making the REST API requests.

    Is there a way to restrict access to the REST API while still being able to use the REST API on my website?
    I’d like to make sure that someone can’t use the REST API endpoints to either scrape the data from my website or use the REST API REQUEST METHODS: POST, PUT, DELETE to edit/delete the content on my site.

    • This topic was modified 7 years, 3 months ago by Cristian.
Viewing 5 replies - 1 through 5 (of 5 total)
  • Moderator t-p

    (@t-p)

    Thread Starter Cristian

    (@crosescu)

    @t-p Thanks for the suggestion but I don’t want to disable the REST API as my web app is actually using it

    Moderator bcworkz

    (@bcworkz)

    Use the ‘rest_authentication_errors’ filter to check a nonce or some sort of token sent by your app. Return null to pass the request on to the normal authentication if required. Return a WP_Error object to reject the request. AFAIK this filter is used even for requests not requiring authentication. Untested for your situation, but it looks promising.

    Thread Starter Cristian

    (@crosescu)

    @bcworkz How can I generate a nonce from the front-end using React and will the WP REST API recognize that nonce?

    Moderator bcworkz

    (@bcworkz)

    You could hash some data that is known to both apps. Timestamps should be included, but you don’t want to get too granular with that if clocks cannot be synched. WP uses wp_create_nonce() and wp_verify_nonce(). Look at the source for ideas. WP sends the nonce out with the initial form to be spit back in the submit. If that works for your process you can use native WP functions. The WP version is not a true nonce because it can be used multiple times in a time period. True nonces become invalid once they are used. In general, the use of nonces in WP do not require a rigorous true nonce. If one needs that level of security, they need to develop their own nonce system.

    WP REST does not recognize nonces itself, you build the check into your authentication errors filter callback. Nonces were the obvious example that came to mind in my last post. Depending on your needs, it may be overkill. For example, you might choose to merely restrict by user or role capability.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Restrict REST API access’ is closed to new replies.