Ensuring Secure API Endpoints Accessible Only from a Specific Domain in WordPress

In modern web development, safeguarding server endpoints is crucial, especially when certain functionalities should only be invoked through a designated user interface or client application. This article explores strategies to restrict access to a public API endpoint such that it can only be called from a specific domain, while still remaining accessible to unauthenticated users, and discusses whether such restrictions are feasible without traditional authentication mechanisms.

The Challenge

Suppose you have an API endpoint managed within your WordPress site that needs to be accessible to all users—regardless of login status—but only when the request originates from a specific domain hosting your client application. This setup entails a delicate balance: the endpoint must be publicly reachable to support non-logged-in users, yet exclusive enough to prevent misuse from other sources or malicious scripts.

Key Considerations

1. Public Accessibility with Domain Restriction
   The requirement is for the endpoint to be publicly accessible—so users or clients don’t need to authenticate repeatedly. However, the endpoint should reject requests coming from unauthorized domains or sources that do not match the intended client.

2. Limitations of Client-Side Checks
   Relying solely on client-side headers like Origin or Referer can be insufficient, as these headers can be spoofed or manipulated in third-party requests using tools like cURL or Postman.

3. CORS and Token-Based Checks
   Enabling Cross-Origin Resource Sharing (CORS) with restrictions can prevent browsers from accessing the API from unauthorized domains via the frontend. However, CORS is a browser security feature and does not prevent server-to-server or script-based requests, meaning anyone can bypass it if they spoof headers.

4. Authentication Considerations
   Traditional approaches like API keys, tokens, or OAuth provide robust security but introduce complexity—especially if the endpoint must be accessible without login but restricted to a particular domain.

Potential Approaches

• Server-Side Referer Header Validation
  You could check the Referer header on each request, allowing only requests that originate from your specific domain. Keep in mind this header can be omitted or spoofed, so it isn’t fully secure.

• CORS Policy Enforcement
  Configure your server, through WordPress or server settings, to include CORS headers that permit requests only from your domain. While effective for browser-based clients, this doesn’t prevent server-to-server requests.

–