Real Cookie Banner REST API request blocked despite plugin being whitelisted

  • Resolved Neverlands

    (@neverlands)


    4 weeks ago

    I’m using the “Real Cookie Banner” plugin, which relies on REST API endpoints to save user consent decisions. I’ve explicitly added the plugin to the REST API whitelist in the AIOS firewall settings (e.g. real-cookie-banner).

    However, the consent-saving POST request still gets blocked with a 403 Forbidden unless the REST API is fully enabled again. This happens even though the plugin is listed as allowed.

    Here’s the request in question (or a typical example):
    /wp-json/wlgo-iqqrli-fbqrhx/a1/0f76d6cc73441e3d6/consent?_method=POST&_v=5.2.10&_locale=user

    This leads to two concerns:

    – The REST API whitelist doesn’t seem to apply reliably, possibly because the request uses a hash-based namespace or anonymous user context
    – Query parameters like _method=POST, _v, or _locale=user might be triggering internal string filters or 6G rules (e.g. method override detection)

    In any case, it means the plugin can’t function properly unless I fully disable REST API restrictions, which isn’t ideal from a security perspective.

    Could you clarify under which conditions the REST API whitelist actually applies?
    And is there a way to allow only specific endpoints (like the consent route) without exposing the full API?

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Support hjogiupdraftplus

    (@hjogiupdraftplus)

    3 weeks, 6 days ago

    Hi @neverlands,

    Here, if you have whitelisted real-cookie-banner the request endpoint should be /wp-json/real-cookie-banner/ not the /wp-json/wlgo-iqqrli-fbqrhx/a1…

    So, is that request due to the real cookie banner plugin or not we need to check. I will create an internal ticket for this.

    Right now if you disable the “Disallow unauthorized REST requests:” and it works then it is not a 6G firewall rule issue. You can whitelist from the available endpoint namespace list, not a particular route.

    Regards

    Plugin Support hjogiupdraftplus

    (@hjogiupdraftplus)

    3 weeks, 6 days ago

    Hi @neverlands,

    Can you please add the following to the theme’s functions.php, It should allow the randomly generated route by the Real Cookie Banner plugin. 

    add_filter( 'aios_whitelisted_rest_routes', function( $routes ) {
        // Add Real Cookie Banner’s dynamic namespace to the whitelist
        $routes[] = 'wlgo-iqqrli-fbqrhx';
        return $routes;
    });

    In my opinion, this plugin should register the endpoint namespace wlgo-iqqrli-fbqrhx so that AIOS can show the REST route to whitelists. Can you please contact their support?

    https://snipboard.io/6AaBTC.jpg

    Regards

Viewing 2 replies - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.