Support » Developing with WordPress » Hiding the new endpoint register_rest_route

  • How can I hide any new custom endpoint I created using register_rest_route?

    I don’t want to use permission_callback if this work only with cookies, since I want to use basic authentication.

    • This topic was modified 2 years, 11 months ago by .
Viewing 1 replies (of 1 total)
  • Moderator bcworkz


    You should be able to alter any API response with the “rest_post_dispatch” filter. Check the third passed parameter ($request) to ensure you are altering a discovery request. I should add that hiding a route cannot be considered adequate security. Security should work whether an attacker knows how to access a resource or not. Your security should be adequate through authentication and permissions alone. I’m not saying don’t hide your route, only don’t rely on obscurity for security.

    If your permission callback simply returns true no matter what, authentication is completely dependent on your chosen method, be it basic, cookie, oAuth, etc. You can supply “__return_true” as the permission callback function.

Viewing 1 replies (of 1 total)
  • The topic ‘Hiding the new endpoint register_rest_route’ is closed to new replies.