How to secure custom REST API endpoints in WordPress?

January 22, 2025
// Forntend
function generate_csrf_token() {
    if (!session_id()) {
        session_start();
    }

    if (!isset($_SESSION['csrf_token'])) {
        $_SESSION['csrf_token'] = wp_generate_password(32, false);
    }

    return $_SESSION['csrf_token'];
}

$csrf_token = generate_csrf_token();

<?php echo '<script>const csrf_token = "' . esc_js($csrf_token) . '";</script>'; ?>

or

<input type="text" id="csrf" name="csrf" value="<?php echo $csrf_token; ?>" hidden>


// Backend
// If you are using ajax form submission
$.ajax({
    url: trailerhire_ajax.ajax_url,
    method: 'GET',
    data: {
        trailer_id: product_id,
        token: csrf_token,
    },


// Verify token
   public function handle_custom_endpoint( WP_REST_Request $request ) {

            // Verify the token
            if (!session_id()) {
                session_start();
            }

            $csrf_token = $request->get_param('csrf_token');
 
            if (!isset($_SESSION['csrf_token']) || $token !== $_SESSION['csrf_token']) {
                return new WP_Error('invalid_token', 'Invalid token', array('status' => 403));
            }
    }
Posted in Programming and tagged wordpress