Hey! Ryan here from WPScan. Great video. Just something to note that wasn't mentioned is that Chrome and other browsers will soon be enabling "SameSite=Lax" cookies by default, which will prevent most CSRF attacks in modern web browsers, when they implement it by default. Nonces should absolutely still be used of course, but the risk of a CSRF attack should also be reduced when web browsers implement SameSite by default.
How to get NOnce for Headless WordPress? Custom endpoint i.e with REST API? And if yes then should we secure the Nonce endpoint by checking like current_user_can() or should just let it be without any checks?
What happens if user open this form as not logged in state and then login in another tab, return to first tab and submit the form? Nonce error happens. Why? how to deal with that situation?
I don't understand it. Because the nonce filed is a hidden field. Evey when bot submit the request still isset return true and query get executed. ????
Note that the nonces are unique to the current user's session, so if a user logs in or out asynchronously any nonces on the page will no longer be valid. codex.wordpress.org/WordPress_Nonces
Nonces are to stop replay attacks, they are to help ensuring that a request was made from a valid source and that the request is only run only once and that the primed request can expire if the user fails to submit. Nonces are basically useless on forms that don't require user authentication.
Always love how you dig deeper into WP more than the average channel! Check out the function check_ajax_referer() (developer.wordpress.org/reference/functions/check_ajax_referer/). It pretty much does what you built, but with a simple function call. It's super handy.
Let's chat on Twitter! twitter.com/AlexanderBYoung
simple. clear. I cant stand tutorials which are too complex. they confuse more than help. keep it simple and you did. thank you.
I'm a lot closer to wrapping my head around nonces than I was before - thank you! Looking forward to digging through your other videos.
Great format with you facing diagonally. Best format I've seen for screencast videos.
Hey! Ryan here from WPScan. Great video. Just something to note that wasn't mentioned is that Chrome and other browsers will soon be enabling "SameSite=Lax" cookies by default, which will prevent most CSRF attacks in modern web browsers, when they implement it by default. Nonces should absolutely still be used of course, but the risk of a CSRF attack should also be reduced when web browsers implement SameSite by default.
Great to see your video after long time..
Could you explain how to use a nonce with cached form pages? I want to serve the form page from a static cache
Perhaps best to just exclude that page from caching?
Thank you so much!
How to get NOnce for Headless WordPress? Custom endpoint i.e with REST API?
And if yes then should we secure the Nonce endpoint by checking like current_user_can() or should just let it be without any checks?
What happens if user open this form as not logged in state and then login in another tab, return to first tab and submit the form? Nonce error happens. Why? how to deal with that situation?
Thank you!
Great stuff!
nice! Thank you very much
People in the UK reading the title like -.-
I don't understand it. Because the nonce filed is a hidden field. Evey when bot submit the request still isset return true and query get executed. ????
Note that the nonces are unique to the current user's session, so if a user logs in or out asynchronously any nonces on the page will no longer be valid.
codex.wordpress.org/WordPress_Nonces
Nonces are to stop replay attacks, they are to help ensuring that a request was made from a valid source and that the request is only run only once and that the primed request can expire if the user fails to submit. Nonces are basically useless on forms that don't require user authentication.
Hello, what are you using for bundling JS?
I actually wasn't bundling it. I was just using the browser-supported ES6 :)
Super useful
Thanks!
No nonce jokes😮 I'm obviously in the wrong place
Always love how you dig deeper into WP more than the average channel! Check out the function check_ajax_referer() (developer.wordpress.org/reference/functions/check_ajax_referer/). It pretty much does what you built, but with a simple function call. It's super handy.
1st like :-)
🎉 woot!
Noooonce
it's not useful.... it is very useful....:) thankx
Glad to hear that!