WordPress.org
Get WordPress

Make WordPress Core

Opened 23 months ago

Closed 12 months ago

#60911 closed defect (bug) (invalid)

WordPress requires Host in the header

Reported by: robhess05's profile robhess05 Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: REST API Keywords: reporter-feedback
Focuses: Cc:

Description

The latest version of the WordPress API requires the Host attribute in the header.
Here’s what that request looks like with it:

GET https://www.beringer.net/wp-json/wp/v2/posts?_fields=date,modified,link,title,author,comment_status,status&per_page=100&orderby=modified&order=desc: {
  "Network": {
    "addresses": {
      "local": {
        "address": "10.20.1.155",
        "family": "IPv4",
        "port": 49888
      },
      "remote": {
        "address": "192.34.63.28",
        "family": "IPv4",
        "port": 443
      }
    },
    "tls": {
      "reused": false,
      "authorized": true,
      "authorizationError": null,
      "cipher": {
        "name": "TLS_AES_256_GCM_SHA384",
        "standardName": "TLS_AES_256_GCM_SHA384",
        "version": "TLSv1/SSLv3"
      },
      "protocol": "TLSv1.3",
      "ephemeralKeyInfo": {},
      "peerCertificate": {
        "subject": {
          "commonName": "www.beringer.net",
          "alternativeNames": "DNS:beringer.net, DNS:www.beringer.net"
        },
        "issuer": {
          "country": "US",
          "organization": "Let's Encrypt",
          "commonName": "R3"
        },
        "validFrom": "Apr  3 12:20:46 2024 GMT",
        "validTo": "Jul  2 12:20:45 2024 GMT",
        "fingerprint": "2F:F9:C9:0F:B6:4B:5A:82:49:0E:C1:71:4A:18:7C:33:3C:D6:12:A9",
        "serialNumber": "04404b5225101d4ac8471be9165c639456a1"
      }
    }
  },
  "Request Headers": {
    "host": "www.beringer.net",
    "postman-token": "afce3fc4-0849-4c96-9dcc-63766c9fe9da",
    "cookie": "mtsnb_lastvisited=1712080253"
  },
  "Response Headers": {
    "server": "nginx",
    "date": "Wed, 03 Apr 2024 19:17:05 GMT",
    "content-type": "application/json; charset=UTF-8",
    "transfer-encoding": "chunked",
    "connection": "keep-alive",
    "vary": [
      "Accept-Encoding",
      "Origin,Accept-Encoding"
    ],
    "cache-control": [
      "must-revalidate, max-age=0",
      "max-age=0, s-maxage=2592000"
    ],
    "x-robots-tag": "noindex",
    "x-content-type-options": "nosniff",
    "access-control-expose-headers": "X-WP-Total, X-WP-TotalPages, Link",
    "access-control-allow-headers": "Authorization, X-WP-Nonce, Content-Disposition, Content-MD5, Content-Type",
    "x-wp-total": "1150",
    "x-wp-totalpages": "12",
    "link": "<https://www.beringer.net/wp-json/wp/v2/posts?_fields=date%2Cmodified%2Clink%2Ctitle%2Cauthor%2Ccomment_status%2Cstatus&per_page=100&orderby=modified&order=desc&page=2>; rel=\"next\"",
    "allow": "GET",
    "expires": "Wed, 03 Apr 2024 19:17:04 GMT"
  },
  "Response Body": "The console only shows response bodies smaller than 10 KB inline. To view the complete body, inspect it by clicking Open."
}

And without it

GET https://www.beringer.net/wp-json/wp/v2/posts?_fields=date,modified,link,title,author,comment_status,status&per_page=100&orderby=modified&order=desc: {
  "Network": {
    "addresses": {
      "local": {
        "address": "10.20.1.155",
        "family": "IPv4",
        "port": 49955
      },
      "remote": {
        "address": "192.34.63.28",
        "family": "IPv4",
        "port": 443
      }
    },
    "tls": {
      "reused": true,
      "authorized": true,
      "authorizationError": null,
      "cipher": {
        "name": "TLS_AES_256_GCM_SHA384",
        "standardName": "TLS_AES_256_GCM_SHA384",
        "version": "TLSv1/SSLv3"
      },
      "protocol": "TLSv1.3",
      "ephemeralKeyInfo": {},
      "peerCertificate": {
        "subject": {
          "commonName": "www.beringer.net",
          "alternativeNames": "DNS:beringer.net, DNS:www.beringer.net"
        },
        "issuer": {
          "country": "US",
          "organization": "Let's Encrypt",
          "commonName": "R3"
        },
        "validFrom": "Apr  3 12:20:46 2024 GMT",
        "validTo": "Jul  2 12:20:45 2024 GMT",
        "fingerprint": "2F:F9:C9:0F:B6:4B:5A:82:49:0E:C1:71:4A:18:7C:33:3C:D6:12:A9",
        "serialNumber": "04404b5225101d4ac8471be9165c639456a1"
      }
    }
  },
  "Request Headers": {
    "postman-token": "d82b77c7-61b9-4a3d-a757-ceb35278515d",
    "cookie": "mtsnb_lastvisited=1712080253"
  },
  "Response Headers": {
    "server": "nginx",
    "date": "Wed, 03 Apr 2024 19:17:56 GMT",
    "content-type": "text/html",
    "content-length": "150",
    "connection": "close"
  },
  "Response Body": "<html>\r\n<head><title>400 Bad Request</title></head>\r\n<body>\r\n<center><h1>400 Bad Request</h1></center>\r\n<hr><center>nginx</center>\r\n</body>\r\n</html>\r\n"
}

I’m currently using a tool that will not allow me to add the Host attribute in the header. Why is this now being enforced, and is there another way to satisfy this request?

Change History (3)

#1 @SergeyBiryukov
23 months ago

  • Component changed from General to REST API

#2 @antonvlasenko
21 months ago

  • Keywords reporter-feedback added

Thanks for reporting the issue, @robhess05.

I tried to reproduce the issue but was unable to. Could this be related to your specific environment?
I used this website for testing: https://square-ferret-squirrel.jurassic.ninja/ (note that the link is valid for only one week). It runs on WordPress 6.5.3.

When I send a GET request to retrieve all posts, it works without needing to specify the "host" header parameter.

#3 @johnbillion
12 months ago

  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed

I'll close this off as the 400 error shown in the report is coming from Nginx, not from WordPress. If you haven't gotten to the bottom of this yet, then your best course of action is to contact your web host for advice. Cheers!

Note: See TracTickets for help on using tickets.