Title: REST API – CSRF Last modified: March 28, 2022 --- # REST API – CSRF * [Alan Fuller](https://wordpress.org/support/users/alanfuller/) * (@alanfuller) * [4 years, 2 months ago](https://wordpress.org/support/topic/rest-api-csrf/) * Hi, * I want to build an endpoint but restrict the front end to the originating site, because the back end is accessing an ‘expensive’ API. * I read this [https://developer.wordpress.org/rest-api/frequently-asked-questions/#why-is-the-rest-api-not-verifying-the-incoming-origin-header-does-this-expose-my-site-to-csrf-attacks](https://developer.wordpress.org/rest-api/frequently-asked-questions/#why-is-the-rest-api-not-verifying-the-incoming-origin-header-does-this-expose-my-site-to-csrf-attacks) * Can anyone elaborate on * > but if you wish to prevent your site from being accessed from unknown origins > you may unhook the default rest_send_cors_headers function from the rest_pre_serve_request > filter hook, then hook in your own function to that same filter to specify > stricter CORS headers. * TIA - This topic was modified 4 years, 2 months ago by [Alan Fuller](https://wordpress.org/support/users/alanfuller/). Reason: wrong url - This topic was modified 4 years, 2 months ago by [Alan Fuller](https://wordpress.org/support/users/alanfuller/). Reason: right url to doc - This topic was modified 4 years, 2 months ago by [Steven Stern (sterndata)](https://wordpress.org/support/users/sterndata/). Viewing 3 replies - 1 through 3 (of 3 total) * [Vijay Hardaha](https://wordpress.org/support/users/vijayhardaha/) * (@vijayhardaha) * [4 years, 2 months ago](https://wordpress.org/support/topic/rest-api-csrf/#post-15503004) * Sorry, I might be wrong to understand your question. but those just state, that if you want to allow only a specific origin then you’ll have to unhook the default cors header function then add your custom cors header function in the same hook. * Here is some ref. I found for example [https://gist.github.com/miya0001/d6508b9ba52df5aedc78fca186ff6088](https://gist.github.com/miya0001/d6508b9ba52df5aedc78fca186ff6088) [https://github.com/WP-API/WP-API/issues/2844#issuecomment-275930957](https://github.com/WP-API/WP-API/issues/2844#issuecomment-275930957) [https://legacy.joshpress.net/access-control-headers-for-the-wordpress-rest-api/](https://legacy.joshpress.net/access-control-headers-for-the-wordpress-rest-api/) [https://developer.wordpress.org/reference/functions/rest_send_cors_headers/](https://developer.wordpress.org/reference/functions/rest_send_cors_headers/) * Thread Starter [Alan Fuller](https://wordpress.org/support/users/alanfuller/) * (@alanfuller) * [4 years, 2 months ago](https://wordpress.org/support/topic/rest-api-csrf/#post-15503169) * Hi Vijay, * Really my question now is in two parts – if I use * ``` remove_filter( 'rest_pre_serve_request', 'rest_send_cors_headers' ); add_filter( 'rest_pre_serve_request', function( $value ) { ``` * Then it looks lik ethat applies to all WP REST API end points. Is that right – as I only want it to apply to my custom end point. * This article [https://legacy.joshpress.net/access-control-headers-for-the-wordpress-rest-api/](https://legacy.joshpress.net/access-control-headers-for-the-wordpress-rest-api/) * says * > That said, keep in mind that the class WP_REST_Response, which should be used > for all responses, also gives you the ability to add headers. Any headers unique > to a request should be set there. * But now i’m thinking that setting headers is not the right approach anyway and I should uses nonces from the from end to back end to restrict access to the end point – what do you think? * [Vijay Hardaha](https://wordpress.org/support/users/vijayhardaha/) * (@vijayhardaha) * [4 years, 2 months ago](https://wordpress.org/support/topic/rest-api-csrf/#post-15503224) * You can go with `nonce` or maybe using `$request->get_route()` you can compare the route then apply custom headers. but you’ll have to remove the existing hook then in the new hook functions, will have to take 3 args then compare the route, then if matched then set your new headers otherwise set the original headers again from the existing function that we unhooked before. Viewing 3 replies - 1 through 3 (of 3 total) The topic ‘REST API – CSRF’ is closed to new replies. * In: [Developing with WordPress](https://wordpress.org/support/forum/wp-advanced/) * 3 replies * 2 participants * Last reply from: [Vijay Hardaha](https://wordpress.org/support/users/vijayhardaha/) * Last activity: [4 years, 2 months ago](https://wordpress.org/support/topic/rest-api-csrf/#post-15503224) * Status: not resolved ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics