Opened 5 months ago
Last modified 4 months ago
#60911 new defect (bug)
WordPress requires Host in the header
Reported by: | robhess05 | Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | normal | Version: | |
Component: | REST API | Keywords: | reporter-feedback |
Focuses: | Cc: |
Description
The latest version of the WordPress API requires the Host attribute in the header.
Here’s what that request looks like with it:
GET https://www.beringer.net/wp-json/wp/v2/posts?_fields=date,modified,link,title,author,comment_status,status&per_page=100&orderby=modified&order=desc: { "Network": { "addresses": { "local": { "address": "10.20.1.155", "family": "IPv4", "port": 49888 }, "remote": { "address": "192.34.63.28", "family": "IPv4", "port": 443 } }, "tls": { "reused": false, "authorized": true, "authorizationError": null, "cipher": { "name": "TLS_AES_256_GCM_SHA384", "standardName": "TLS_AES_256_GCM_SHA384", "version": "TLSv1/SSLv3" }, "protocol": "TLSv1.3", "ephemeralKeyInfo": {}, "peerCertificate": { "subject": { "commonName": "www.beringer.net", "alternativeNames": "DNS:beringer.net, DNS:www.beringer.net" }, "issuer": { "country": "US", "organization": "Let's Encrypt", "commonName": "R3" }, "validFrom": "Apr 3 12:20:46 2024 GMT", "validTo": "Jul 2 12:20:45 2024 GMT", "fingerprint": "2F:F9:C9:0F:B6:4B:5A:82:49:0E:C1:71:4A:18:7C:33:3C:D6:12:A9", "serialNumber": "04404b5225101d4ac8471be9165c639456a1" } } }, "Request Headers": { "host": "www.beringer.net", "postman-token": "afce3fc4-0849-4c96-9dcc-63766c9fe9da", "cookie": "mtsnb_lastvisited=1712080253" }, "Response Headers": { "server": "nginx", "date": "Wed, 03 Apr 2024 19:17:05 GMT", "content-type": "application/json; charset=UTF-8", "transfer-encoding": "chunked", "connection": "keep-alive", "vary": [ "Accept-Encoding", "Origin,Accept-Encoding" ], "cache-control": [ "must-revalidate, max-age=0", "max-age=0, s-maxage=2592000" ], "x-robots-tag": "noindex", "x-content-type-options": "nosniff", "access-control-expose-headers": "X-WP-Total, X-WP-TotalPages, Link", "access-control-allow-headers": "Authorization, X-WP-Nonce, Content-Disposition, Content-MD5, Content-Type", "x-wp-total": "1150", "x-wp-totalpages": "12", "link": "<https://www.beringer.net/wp-json/wp/v2/posts?_fields=date%2Cmodified%2Clink%2Ctitle%2Cauthor%2Ccomment_status%2Cstatus&per_page=100&orderby=modified&order=desc&page=2>; rel=\"next\"", "allow": "GET", "expires": "Wed, 03 Apr 2024 19:17:04 GMT" }, "Response Body": "The console only shows response bodies smaller than 10 KB inline. To view the complete body, inspect it by clicking Open." }
And without it
GET https://www.beringer.net/wp-json/wp/v2/posts?_fields=date,modified,link,title,author,comment_status,status&per_page=100&orderby=modified&order=desc: { "Network": { "addresses": { "local": { "address": "10.20.1.155", "family": "IPv4", "port": 49955 }, "remote": { "address": "192.34.63.28", "family": "IPv4", "port": 443 } }, "tls": { "reused": true, "authorized": true, "authorizationError": null, "cipher": { "name": "TLS_AES_256_GCM_SHA384", "standardName": "TLS_AES_256_GCM_SHA384", "version": "TLSv1/SSLv3" }, "protocol": "TLSv1.3", "ephemeralKeyInfo": {}, "peerCertificate": { "subject": { "commonName": "www.beringer.net", "alternativeNames": "DNS:beringer.net, DNS:www.beringer.net" }, "issuer": { "country": "US", "organization": "Let's Encrypt", "commonName": "R3" }, "validFrom": "Apr 3 12:20:46 2024 GMT", "validTo": "Jul 2 12:20:45 2024 GMT", "fingerprint": "2F:F9:C9:0F:B6:4B:5A:82:49:0E:C1:71:4A:18:7C:33:3C:D6:12:A9", "serialNumber": "04404b5225101d4ac8471be9165c639456a1" } } }, "Request Headers": { "postman-token": "d82b77c7-61b9-4a3d-a757-ceb35278515d", "cookie": "mtsnb_lastvisited=1712080253" }, "Response Headers": { "server": "nginx", "date": "Wed, 03 Apr 2024 19:17:56 GMT", "content-type": "text/html", "content-length": "150", "connection": "close" }, "Response Body": "<html>\r\n<head><title>400 Bad Request</title></head>\r\n<body>\r\n<center><h1>400 Bad Request</h1></center>\r\n<hr><center>nginx</center>\r\n</body>\r\n</html>\r\n" }
I’m currently using a tool that will not allow me to add the Host attribute in the header. Why is this now being enforced, and is there another way to satisfy this request?
Change History (2)
Note: See
TracTickets for help on using
tickets.
Thanks for reporting the issue, @robhess05.
I tried to reproduce the issue but was unable to. Could this be related to your specific environment?
I used this website for testing: https://square-ferret-squirrel.jurassic.ninja/ (note that the link is valid for only one week). It runs on WordPress 6.5.3.
When I send a GET request to retrieve all posts, it works without needing to specify the "host" header parameter.