Secure Redirection from a Plugin with Dynamic wordpress Site URL | ww.wp.xz.cn

davidfull
(@davidfull)

1 year, 5 months ago

Hello WordPress Community,

We have a Setmore plugin published on the WordPress marketplace, and we’ve encountered an issue regarding the security of the signup process for our app.

The signup URL for our plugin includes a redirectUrl parameter that dynamically incorporates the siteUrl, which is unique to each WordPress installation.

Our concern is that since the siteUrl is dynamic and unique to each installation, it’s not possible to whitelist specific domains for the redirection in the Setmore backend. We are looking for a more secure method to send and process the redirectUrl parameter to ensure a safe redirection process after signup.

We would appreciate any guidance on how to handle this securely, or if there are alternative methods available to ensure that the redirection is verified and protected.

Has anyone faced a similar challenge or have suggestions on how to address this securely?

Viewing 1 replies (of 1 total)

Moderator bcworkz
(@bcworkz)

1 year, 5 months ago

The value returned by get_site_url() is true and secure within the WP environment. You could set up an API route that sends this value back to your app upon request. Then the issue is to how to secure an API response. Use the same techniques you’d use for any HTTPS communication. Exchanges should involve some sort of security token ensuring the data within is true and accurate. Some sort of nonce scheme might be adequate. Note that WP nonces are not true nonces since they can be used multiple times. You may want to implement true nonces that can only be used once. For even greater security, consider using JWT or oAuth schemes.

Viewing 1 replies (of 1 total)

The topic ‘Secure Redirection from a Plugin with Dynamic wordpress Site URL’ is closed to new replies.

Tags

In: Developing with WordPress
1 reply
2 participants
Last reply from: bcworkz
Last activity: 1 year, 5 months ago
Status: not resolved

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics