Make WordPress Core

Opened 7 weeks ago

Last modified 3 days ago

#60911 new defect (bug)

WordPress requires Host in the header

Reported by: robhess05's profile robhess05 Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: REST API Keywords: reporter-feedback
Focuses: Cc:

Description

The latest version of the WordPress API requires the Host attribute in the header.
Here’s what that request looks like with it:

GET https://www.beringer.net/wp-json/wp/v2/posts?_fields=date,modified,link,title,author,comment_status,status&per_page=100&orderby=modified&order=desc: {
  "Network": {
    "addresses": {
      "local": {
        "address": "10.20.1.155",
        "family": "IPv4",
        "port": 49888
      },
      "remote": {
        "address": "192.34.63.28",
        "family": "IPv4",
        "port": 443
      }
    },
    "tls": {
      "reused": false,
      "authorized": true,
      "authorizationError": null,
      "cipher": {
        "name": "TLS_AES_256_GCM_SHA384",
        "standardName": "TLS_AES_256_GCM_SHA384",
        "version": "TLSv1/SSLv3"
      },
      "protocol": "TLSv1.3",
      "ephemeralKeyInfo": {},
      "peerCertificate": {
        "subject": {
          "commonName": "www.beringer.net",
          "alternativeNames": "DNS:beringer.net, DNS:www.beringer.net"
        },
        "issuer": {
          "country": "US",
          "organization": "Let's Encrypt",
          "commonName": "R3"
        },
        "validFrom": "Apr  3 12:20:46 2024 GMT",
        "validTo": "Jul  2 12:20:45 2024 GMT",
        "fingerprint": "2F:F9:C9:0F:B6:4B:5A:82:49:0E:C1:71:4A:18:7C:33:3C:D6:12:A9",
        "serialNumber": "04404b5225101d4ac8471be9165c639456a1"
      }
    }
  },
  "Request Headers": {
    "host": "www.beringer.net",
    "postman-token": "afce3fc4-0849-4c96-9dcc-63766c9fe9da",
    "cookie": "mtsnb_lastvisited=1712080253"
  },
  "Response Headers": {
    "server": "nginx",
    "date": "Wed, 03 Apr 2024 19:17:05 GMT",
    "content-type": "application/json; charset=UTF-8",
    "transfer-encoding": "chunked",
    "connection": "keep-alive",
    "vary": [
      "Accept-Encoding",
      "Origin,Accept-Encoding"
    ],
    "cache-control": [
      "must-revalidate, max-age=0",
      "max-age=0, s-maxage=2592000"
    ],
    "x-robots-tag": "noindex",
    "x-content-type-options": "nosniff",
    "access-control-expose-headers": "X-WP-Total, X-WP-TotalPages, Link",
    "access-control-allow-headers": "Authorization, X-WP-Nonce, Content-Disposition, Content-MD5, Content-Type",
    "x-wp-total": "1150",
    "x-wp-totalpages": "12",
    "link": "<https://www.beringer.net/wp-json/wp/v2/posts?_fields=date%2Cmodified%2Clink%2Ctitle%2Cauthor%2Ccomment_status%2Cstatus&per_page=100&orderby=modified&order=desc&page=2>; rel=\"next\"",
    "allow": "GET",
    "expires": "Wed, 03 Apr 2024 19:17:04 GMT"
  },
  "Response Body": "The console only shows response bodies smaller than 10 KB inline. To view the complete body, inspect it by clicking Open."
}

And without it

GET https://www.beringer.net/wp-json/wp/v2/posts?_fields=date,modified,link,title,author,comment_status,status&per_page=100&orderby=modified&order=desc: {
  "Network": {
    "addresses": {
      "local": {
        "address": "10.20.1.155",
        "family": "IPv4",
        "port": 49955
      },
      "remote": {
        "address": "192.34.63.28",
        "family": "IPv4",
        "port": 443
      }
    },
    "tls": {
      "reused": true,
      "authorized": true,
      "authorizationError": null,
      "cipher": {
        "name": "TLS_AES_256_GCM_SHA384",
        "standardName": "TLS_AES_256_GCM_SHA384",
        "version": "TLSv1/SSLv3"
      },
      "protocol": "TLSv1.3",
      "ephemeralKeyInfo": {},
      "peerCertificate": {
        "subject": {
          "commonName": "www.beringer.net",
          "alternativeNames": "DNS:beringer.net, DNS:www.beringer.net"
        },
        "issuer": {
          "country": "US",
          "organization": "Let's Encrypt",
          "commonName": "R3"
        },
        "validFrom": "Apr  3 12:20:46 2024 GMT",
        "validTo": "Jul  2 12:20:45 2024 GMT",
        "fingerprint": "2F:F9:C9:0F:B6:4B:5A:82:49:0E:C1:71:4A:18:7C:33:3C:D6:12:A9",
        "serialNumber": "04404b5225101d4ac8471be9165c639456a1"
      }
    }
  },
  "Request Headers": {
    "postman-token": "d82b77c7-61b9-4a3d-a757-ceb35278515d",
    "cookie": "mtsnb_lastvisited=1712080253"
  },
  "Response Headers": {
    "server": "nginx",
    "date": "Wed, 03 Apr 2024 19:17:56 GMT",
    "content-type": "text/html",
    "content-length": "150",
    "connection": "close"
  },
  "Response Body": "<html>\r\n<head><title>400 Bad Request</title></head>\r\n<body>\r\n<center><h1>400 Bad Request</h1></center>\r\n<hr><center>nginx</center>\r\n</body>\r\n</html>\r\n"
}

I’m currently using a tool that will not allow me to add the Host attribute in the header. Why is this now being enforced, and is there another way to satisfy this request?

Change History (2)

#1 @SergeyBiryukov
7 weeks ago

  • Component changed from General to REST API

#2 @antonvlasenko
3 days ago

  • Keywords reporter-feedback added

Thanks for reporting the issue, @robhess05.

I tried to reproduce the issue but was unable to. Could this be related to your specific environment?
I used this website for testing: https://square-ferret-squirrel.jurassic.ninja/ (note that the link is valid for only one week). It runs on WordPress 6.5.3.

When I send a GET request to retrieve all posts, it works without needing to specify the "host" header parameter.

Note: See TracTickets for help on using tickets.