[ad_1]
Pretty vague question but since I have no idea yet about security… idk what exactly to ask.
What I know so far is that if the post request is also made within wordpress, I can verify it in my custom endpoint using something like wp_nonce. From what I know, its something that can be generated within wordpress. So my question now is, how do I verify posts requests to my custom rest endpoint that’s made outside of wordpress? Or what possible vulnerabilities/security issues, etc should i watch for?
I’ve heard about the CORS protection technique but from what I know that’s really easy to circumvent.
[ad_2]
Ofcourse HTTPS.
And you can consider sending along some kind of hash as a password.
Kinda like adding a variable in hte url through $_GET.
https://website.yours/endpoint/98sf787sdyf87r/
Not super secure of-course but any random request to /endpoint/ would automatically fail.
I think you can use JSON Web Token, I havent do this myself but you can see a couple of recommendations at the end of this page
https://developer.wordpress.org/rest-api/using-the-rest-api/authentication/
https://wordpress.org/plugins/wp-rest-api-authentication/ Basic Authentication is simple to setup. Do not use the “hash in the url” method someone suggested – that is not security.
also sanitise all inputs what you will get also why not ajax ?