REST API Security and CORS Configuration
PersonalizeWP v3.1 implements comprehensive security measures to protect your REST API endpoints from unauthorised access and malicious attacks. These security enhancements include token-based authentication, domain restrictions, and sophisticated CORS (Cross-Origin Resource Sharing) management that balances security with legitimate cross-domain functionality.
Overview
The security system operates through multiple layers of protection that validate every request to PersonalizeWP's REST API endpoints. Token-based authentication ensures only authorised domains can access your personalisation data, whilst CORS configuration prevents browser-based cross-origin attacks while enabling legitimate headless implementations.
By default, PersonalizeWP restricts API access to your WordPress installation's primary domain. The security system automatically generates and validates unique tokens for each installation, creating a secure foundation that can be extended through manually configured API keys for authorised external domains.
Prerequisites
To fully utilise PersonalizeWP's security features:
- PersonalizeWP Pro must be installed and activated
- Your WordPress installation must use HTTPS for secure token transmission
- Understanding of CORS principles and cross-origin request handling
- Administrative access to WordPress settings for security configuration
Token-Based Authentication
Automatic Token Generation
PersonalizeWP automatically generates a unique site token during plugin activation that's tied specifically to your WordPress installation's home URL. This token is stored securely in the WordPress options table and used to validate all incoming API requests from your primary domain.
The automatic token system requires no configuration and works transparently for standard WordPress implementations. All requests from your main site include this token automatically, ensuring seamless operation whilst maintaining security.
Manual API Key Creation
For cross-domain implementations, you can generate additional API keys through the Authentication settings panel. Each manually created API key is cryptographically unique and associated with a specific domain URL, providing secure access for headless implementations or multi-domain setups.
These manual keys operate independently of the automatic site token, allowing you to maintain different security policies for different domains whilst ensuring each key can only be used from its designated origin.
CORS Management
Automatic CORS Configuration
PersonalizeWP automatically configures CORS headers for domains with valid authentication tokens. When requests are received from authorised domains, the system sets appropriate Access-Control-Allow-Origin headers and includes necessary request headers like Content-Type and X-PWP-Site-Token .
This automatic configuration eliminates the need for manual CORS setup in most implementations whilst maintaining strict security controls. The system only allows cross-origin requests from domains that possess valid API keys.
Domain Validation Process
Every cross-origin request undergoes comprehensive validation that checks the request origin against stored API keys. The system compares the requesting domain exactly, including protocol and subdomain variations, ensuring that only explicitly authorised domains can access your API endpoints.
Failed validation attempts are automatically rejected with appropriate HTTP error codes, providing clear feedback for debugging whilst preventing unauthorised access attempts.
Advanced Configuration Options
Developer Filter Integration
Advanced users can extend CORS functionality through the personalizewp_allowed_origins filter hook. This allows developers to programmatically add additional allowed domains without creating API keys through the interface, providing flexibility for complex deployment scenarios.
The filter receives an array of currently allowed origins and expects a modified array in return. This approach enables dynamic origin management based on environment variables or other runtime conditions.
Multisite Compatibility
PersonalizeWP's security system fully supports WordPress multisite installations by managing tokens and domain restrictions on a per-site basis. Each site in a multisite network maintains its own security configuration and API keys, ensuring proper isolation between different sites.
The system automatically detects multisite environments and adjusts token storage and validation accordingly, using site-specific options rather than network-wide settings.
Rate Limiting Protection
The security system includes built-in rate limiting that monitors API request patterns and automatically restricts excessive requests from individual domains or IP addresses. This protection prevents DDOS attacks and ensures API availability for legitimate users.
Rate limiting operates transparently and adjusts dynamically based on request patterns, providing stronger protection during suspected attacks whilst maintaining normal performance for regular usage.
Security Validation Process
Request Origin Verification
All API requests undergo origin verification that checks the Origin or Referer headers against authorised domains. Requests without proper origin headers or from unauthorised domains are automatically rejected before any processing occurs.
The verification process handles various browser behaviours and request types, ensuring compatibility with legitimate cross-origin requests whilst blocking unauthorised access attempts.
Token Authentication Flow
Token authentication occurs through the X-PWP-Site-Token header that must accompany all API requests. The system validates tokens using secure hash comparison methods that prevent timing attacks and ensure token authenticity.
Invalid or missing tokens result in immediate request rejection with appropriate HTTP status codes, providing clear indication of authentication failures whilst protecting against brute force attempts.
Header Validation
Beyond origin and token validation, the system checks for required headers like Content-Type and X-Requested-With that indicate legitimate API usage. This multi-header approach provides additional protection against automated attacks whilst maintaining compatibility with standard API clients.
Troubleshooting
Authentication Token Issues
Authentication failures typically stem from missing or incorrect tokens in request headers. Verify that your implementation includes the X-PWP-Site-Token header with the correct API key value, and ensure the token hasn't been revoked in the Authentication settings. For automatic tokens, clearing and regenerating the token through plugin deactivation and reactivation can resolve corruption issues.
CORS Rejection Problems
CORS errors often indicate domain mismatches between your API key configuration and the actual request origin. Check that your requesting domain exactly matches the domain specified during API key creation, including www prefixes and protocol specifications. Browser developer tools can help identify the exact origin being sent in requests for comparison with your configured domains.
Rate Limiting Activation
If legitimate requests are being rate limited, this typically indicates unusual request patterns that trigger protective measures. Review your API usage patterns to ensure requests aren't being made too frequently, and consider implementing client-side caching to reduce API call frequency. Contact support if rate limiting appears to be incorrectly triggered for normal usage patterns.
Multisite Configuration Issues
Multisite implementations may experience token conflicts if sites share similar configurations. Ensure each site in your network has properly generated its own API keys and verify that token validation is occurring at the correct site level. Network-wide plugins can sometimes interfere with site-specific token storage, requiring individual site activation.
Filter Hook Problems
When using the personalizewp_allowed_origins filter, ensure your custom code returns a properly formatted array and doesn't interfere with existing allowed origins. Malformed filter responses can break CORS functionality entirely, so test custom implementations thoroughly in development environments before deploying to production.
PersonalizeWP's comprehensive security system provides enterprise-level protection for your personalisation data whilst maintaining the flexibility needed for modern web architectures and headless implementations.