AJAX best practices

  • I am coding a plugin that allows logged-in authors to edit data in a widget area on the front-end using AJAX.

    I basically have it working, however the example my code is based on (from the Lynda.com tutorials) does not use a NONCE when submitting data from the form to WP using AJAX.

    Is a NONCE not necessary when using AJAX? Or is it best practice to always use a NONCE when submitting data?

Viewing 1 replies (of 1 total)
  • Moderator bcworkz

    (@bcworkz)

    A nonce should always be used so the server knows the request is legitimate and not from some bad actor. That’s my opinion, it is the most conservative take. There may be situations where it’s not absolutely required. I’m no security expert, I don’t want to be the one to decide not to use a nonce, so I use them everywhere. Once it’s setup in your basic AJAX code template, you don’t even need to think about it, it’s just there and it’s handled.

    The WP implementation is not a true nonce, it can be used more than once. For critical applications, I suggest folks develop a true nonce routine where once used, the nonce is useless.

Viewing 1 replies (of 1 total)
  • The topic ‘AJAX best practices’ is closed to new replies.