• Resolved jussipv

    (@jussipv)


    Hi,

    I’m trying to set a Access-Control-Allow-Origin header to limit requests from our endpoints to our own domains. We have multiple domains so we need to dynamically check if HTTP_ORIGIN is within our allowed domains.

    I have a code which works perfectly for the endpoints and checks the Origin but it only works for the initial request after cache is cleared and on the cached requests I guess the header allows all Origins.

    Here is my code for changing the header for our custom endpoint:

    add_action('rest_api_init', function() {
    
      remove_filter('rest_pre_serve_request', 'rest_send_cors_headers');
      add_filter('rest_pre_serve_request', function($value) {
        $origin = get_http_origin();
    
        $allowed_origins = [
          'https://our.domain.com',
          'https://ourdomain.com',
          'https://app.ourdomain.com'
        ];
    
        // Fallback
        $allowed_origin = 'https://ourdomain.com';
    
        if(in_array($origin, $allowed_origins)) {
          $allowed_origin = $origin;
        }
    
        header( 'Access-Control-Allow-Origin: ' . esc_url_raw($allowed_origin));
        header( 'Access-Control-Allow-Methods: GET, OPTIONS');
    
        if(isset($_SERVER['REQUEST_METHOD']) && $_SERVER['REQUEST_METHOD'] === 'OPTIONS') {
          header( 'Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept');
    
          header( 'Access-Control-Max-Age: 86400');
          header( 'Cache-Control: public, max-age=86400');
          header( 'Vary: origin');
    
          exit(0);
        }
    
        return $value;
      });
    });
Viewing 8 replies - 1 through 8 (of 8 total)
  • Plugin Author Richard Korthuis

    (@rockfire)

    Hi @jussipv

    Thank you for using our plugin and sorry for the late reply.

    The reason your code for changing the header doesn’t work is because of the way our plugin works. It hooks into WordPress as soon as possible and prevents any other code to be executed (including your code).
    We do have filters to alter the headers of the cached request, but this is prior to caching, so it would not work for you. We could consider adding a filter/hook so you could alter the headers of a cached request prior to outputting it, but you would have to use the filter from a must use plugin. Would that work for you?

    Hi @rockfire, first thanks for an awesome plugin.

    I have the same need as Jussipv and a hook to alter the headers would be greatly appreciated!

    Best regards
    Adin

    Hello, I have the same need, I want to modify the headers of all cached requests and could use a hook via a must use plugin. is it added to the roadmap yet ?

    Thanks !

    Plugin Author Richard Korthuis

    (@rockfire)

    Hi @jussipv , @jilfransoi and @adinehnsio

    Sorry it took me so long, I have been extremely busy, but we just released a new version of our plugin which includes a filter wp_rest_cache/pre_output_headers which can be used (from a mu-plugin with a name which is alfabetically before wp-rest-cache.php) to alter the headers. For example like this:

    /**
     * Add Access-Control-Allow-Headers headers to the response.
     *
     * @param array $headers The headers that will be sent to the client.
     * @param string $request_uri The REST URI that is being requested.
     *
     * @return array
     */
    function wprc_pre_output_headers( $headers, $request_uri ) {
    	$headers['Access-Control-Allow-Headers'] = 'Origin, X-Requested-With, Content-Type, Accept';
    	return $headers;
    }

    Hello, I am trying to utilize this hook from a plugin, but it never seems to fire. Does it have to be done as a mu-plugin with specific alphabetical name, or is there a more supported method to utilize this?
    Thanks!

    Hello @rockfire just seeing your reply now.

    Thank you for your kind work, will try this asap.

    Cheers

    Plugin Author Richard Korthuis

    (@rockfire)

    Hi @fatjester

    Yes it has to be a mu-plugin. This is because of the way our plugin works: if a cache record is available it is returned by our mu-plugin and no normal plugins are loaded. So it is not possible to use this filter from a normal plugin.

    Ok, thanks!

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘Customising cache Response Headers’ is closed to new replies.