How to use nonces the right way

[bph]

Thank you to @zzap for suggesting this topic!

What would be the flow of such a post?

[bph]

The documentation team is also working on centralizing the nonces information that is right now in multiple places.
WordPress/Documentation-Issue-Tracker#623

[zzap]

Yes, I've been thinking more like an example of applying all of it from docs

[azaozz]

Looking through some of the code examples, noticed this anonymous / lambda function as callback to an add_filter(): https://developer.wordpress.org/apis/security/nonces/#modifying-the-nonce-lifetime

Using anonymous functions in add_filter() and add_action() is not allowed in WP core and is considered a "bad practice" in themes and plugins. The reason is that callbacks added that way cannot be removed with remove_filter() and remove_action(), i.e. break the WP plugins API.

The "best practice" there is to use a separate function, like in the other examples on the same page. Example: https://developer.wordpress.org/apis/security/nonces/#performing-additional-verification. Ideally all code examples would be like that.

The general idea is that code examples would have the same requirements as the WP core code, including formatting, white space, best practices, etc.

[jonathanbossenger]

I've often struggled to remember all the different places/ways nonces are used with developing for WordPress, so I usually keep a few sample code snippets around for both form submission handlers, as well as ajax handlers.

If no one else wants to tackle this post, I'd be happy to.

[TonyGravagno]

As @jonathanbossenger noted, we need to use nonces with Ajax handlers. Any web interface that establishes a session with WP via Ajax needs to authenticate and exchange nonces. This should include front-end React apps that use api-fetch, axios, useQuery, or any other tooling.

[bph]

@zzap has taking this on. This discussion is locked. Please continue the discussion on the issue: How to use nonces the right way
#95