Security: Do we still need Nonces when building APIs?

Hello,

I am studying about Ajax and REST APIs and I am trying to decide if I should use nonces to protect my Ajax endpoints or not. I did some research, looked at many plugins code and got even more confused. Lol. What I found is that many plugins implement it (ex. Woocommerce), and many others don’t (ex. WP_REST_User). But I don’t know if is a good idea to implement Nonce on my APIs or not.

In my understanding, nonces are useful to verify intention and against CSRF attacks (anything else?).

As for intention, Nonces prevent hackers from tricking you into clicking on a link that does a destructive action. If you are logged in as an admin user, a permission checking won’t help you if you are tricked to click on a link that deletes all your blog posts.

So, the conclusion I got is that is not necessary to use nonces with the Ajax API because clicking on links won’t cause any harm as they generate a GET request and the Ajax API requires a POST. Even if you enter in a shady website that does a POST call to your website (through JS), the CORS protection of your browser will block the request. I know that the admin could be using an old browser, with no CORS protection (*cough cough* IE 9-), but I not sure about supporting very old, with lots of vulnerabilities, browsers.

As for the REST API, I got the same conclusion, that it isn’t necessary to use Nonces. It would only be necessary for GET requests that do “destructive” actions (actions that modify the state, like creating, updating, deleting), but a RESTFul GET should always be “idempotent and/or safe”. This means GET methods, the only vulnerable to the attack I described before, won’t do any harm if not intention-protected, as they are “read-only”. The exception would be if the programmer puts a destructive method on a GET.

So, my understanding is that nonces are not required for Ajax (neither the Ajax API or the REST API). At least not if the GET methods are read-only (and ignoring IE 2 and other ancient browsers that admins shouldn’t be using).

As for CSRF protection, I think it can be useful to protect unauthenticated actions against spam. But still, it won’t prevent an attacker to load the page with the nonce and use this nonce.

The only place it seems to be really necessary is for non-ajax calls, like the settings API. And only if it is using GET for destructive actions (which is kind of a bad idea).

That’s the conclusion I reached, but I am not sure about it at all. I am positive that I am missing something, but I can’t see it.

Can anyone help me and show me what am I missing? Which scenarios can a lack of nonces on an API be explored to attack a website?

PS: Sorry in advance if I sound like “You are wrong if you use nonces, you should stop doing”. It is not my intention at all, I am just trying to learn about it, not to prove any point or lecture anyone. These are not assertions, but questions. Please, take my post as from a student perspective, not as from a teacher one. And feel free to respectfully point where I am wrong.