api_security_authorization_header – If you want to change the authorization header used for authenticating users. Use this filter to fetch the authorization value from it.
PHP
add_filter( 'api_security_authorization_header', function( $auth_header ) {
$custom_header = isset( $_SERVER['HTTP_X_MY_CUSTOM_AUTH'] )
? sanitize_text_field( wp_unslash( $_SERVER['HTTP_X_MY_CUSTOM_AUTH'] ) ) : '';
return ! empty( $custom_header ) ? $custom_header : $auth_header;
}, 10, 1);api_security_restrict_rest_api_authorization – Check if the authorization header is set.
PHP
add_filter( 'api_security_restrict_rest_api_authorization', function( $requires_auth, $request ) {
// Require authorization for specific routes
if ( strpos( $request->get_route(), '/wp/v2/posts' ) === 0 ) {
return true;
}
return $requires_auth;
}, 10, 2 );api_security_headers_allow – True by default for all endpoints. This filter allows you to decide if the security headers should be applied based on the request.
PHP
add_filter( 'api_security_headers_allow', function( $status, $request ) {
if ( strpos( $request->get_route(), '/wp/v2/posts' ) === 0 ) {
return false;
}
return $status;
}, 10, 2 );What are the security headers?
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000
csp_frame_ancestors: self