WordPress nonces are an easy piece of security measure you can implement into your plugins or themes to prevent your users from Cross Site Request Forgery attacks. But how do WordPress nonces really work? You heard they were valid for 24 hours? Are they really? How can they be called nonces if they can be reused? Let’s dive right into in and see how WordPress nonces are not pure nonces but still are useful to provide an higher level of security to your website’s users.
What is a Nonce?
A nonce simply stands for a Number used ONCE. It’s a unique token used to add a layer of security to your application and also to validate the intent of a user initiated action.
This Nonce is generated by a server-side application, stored on the server and sent to the client to be part of the payload it’s going to send back to the server. This way, you have a way to validate the payload and have a higher level of certainty that the request was actually made by the client.
Why use a Nonce?
A nonce could be seen as a one time password for user initiated actions. May it be sending a form, encrypting data or executing an action, the nonce adds a level of security by preventing a malicious
Source: https://managewp.org/articles/15137/wordpress-nonces-what-are-they-really-and-how-they-work
source https://williechiu40.wordpress.com/2017/05/17/wordpress-nonces-what-are-they-really-and-how-they-work/
No comments:
Post a Comment