[wp-trac] [WordPress Trac] #60911: WordPress requires Host in the header

WordPress Trac noreply at wordpress.org
Wed Apr 3 19:20:26 UTC 2024 

#60911: WordPress requires Host in the header
--------------------------+-----------------------------
 Reporter:  robhess05     |      Owner:  (none)
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  General       |    Version:
 Severity:  normal        |   Keywords:
  Focuses:                |
--------------------------+-----------------------------
 The latest version of the WordPress API requires the Host attribute in the
 header.
 Here’s what that request looks like with it:

 {{{
 GET https://www.beringer.net/wp-
 json/wp/v2/posts?_fields=date,modified,link,title,author,comment_status,status&per_page=100&orderby=modified&order=desc:
 {
   "Network": {
     "addresses": {
       "local": {
         "address": "10.20.1.155",
         "family": "IPv4",
         "port": 49888
       },
       "remote": {
         "address": "192.34.63.28",
         "family": "IPv4",
         "port": 443
       }
     },
     "tls": {
       "reused": false,
       "authorized": true,
       "authorizationError": null,
       "cipher": {
         "name": "TLS_AES_256_GCM_SHA384",
         "standardName": "TLS_AES_256_GCM_SHA384",
         "version": "TLSv1/SSLv3"
       },
       "protocol": "TLSv1.3",
       "ephemeralKeyInfo": {},
       "peerCertificate": {
         "subject": {
           "commonName": "www.beringer.net",
           "alternativeNames": "DNS:beringer.net, DNS:www.beringer.net"
         },
         "issuer": {
           "country": "US",
           "organization": "Let's Encrypt",
           "commonName": "R3"
         },
         "validFrom": "Apr  3 12:20:46 2024 GMT",
         "validTo": "Jul  2 12:20:45 2024 GMT",
         "fingerprint":
 "2F:F9:C9:0F:B6:4B:5A:82:49:0E:C1:71:4A:18:7C:33:3C:D6:12:A9",
         "serialNumber": "04404b5225101d4ac8471be9165c639456a1"
       }
     }
   },
   "Request Headers": {
     "host": "www.beringer.net",
     "postman-token": "afce3fc4-0849-4c96-9dcc-63766c9fe9da",
     "cookie": "mtsnb_lastvisited=1712080253"
   },
   "Response Headers": {
     "server": "nginx",
     "date": "Wed, 03 Apr 2024 19:17:05 GMT",
     "content-type": "application/json; charset=UTF-8",
     "transfer-encoding": "chunked",
     "connection": "keep-alive",
     "vary": [
       "Accept-Encoding",
       "Origin,Accept-Encoding"
     ],
     "cache-control": [
       "must-revalidate, max-age=0",
       "max-age=0, s-maxage=2592000"
     ],
     "x-robots-tag": "noindex",
     "x-content-type-options": "nosniff",
     "access-control-expose-headers": "X-WP-Total, X-WP-TotalPages, Link",
     "access-control-allow-headers": "Authorization, X-WP-Nonce, Content-
 Disposition, Content-MD5, Content-Type",
     "x-wp-total": "1150",
     "x-wp-totalpages": "12",
     "link": "<https://www.beringer.net/wp-
 json/wp/v2/posts?_fields=date%2Cmodified%2Clink%2Ctitle%2Cauthor%2Ccomment_status%2Cstatus&per_page=100&orderby=modified&order=desc&page=2>;
 rel=\"next\"",
     "allow": "GET",
     "expires": "Wed, 03 Apr 2024 19:17:04 GMT"
   },
   "Response Body": "The console only shows response bodies smaller than 10
 KB inline. To view the complete body, inspect it by clicking Open."
 }
 }}}


 And without it

 {{{
 GET https://www.beringer.net/wp-
 json/wp/v2/posts?_fields=date,modified,link,title,author,comment_status,status&per_page=100&orderby=modified&order=desc:
 {
   "Network": {
     "addresses": {
       "local": {
         "address": "10.20.1.155",
         "family": "IPv4",
         "port": 49955
       },
       "remote": {
         "address": "192.34.63.28",
         "family": "IPv4",
         "port": 443
       }
     },
     "tls": {
       "reused": true,
       "authorized": true,
       "authorizationError": null,
       "cipher": {
         "name": "TLS_AES_256_GCM_SHA384",
         "standardName": "TLS_AES_256_GCM_SHA384",
         "version": "TLSv1/SSLv3"
       },
       "protocol": "TLSv1.3",
       "ephemeralKeyInfo": {},
       "peerCertificate": {
         "subject": {
           "commonName": "www.beringer.net",
           "alternativeNames": "DNS:beringer.net, DNS:www.beringer.net"
         },
         "issuer": {
           "country": "US",
           "organization": "Let's Encrypt",
           "commonName": "R3"
         },
         "validFrom": "Apr  3 12:20:46 2024 GMT",
         "validTo": "Jul  2 12:20:45 2024 GMT",
         "fingerprint":
 "2F:F9:C9:0F:B6:4B:5A:82:49:0E:C1:71:4A:18:7C:33:3C:D6:12:A9",
         "serialNumber": "04404b5225101d4ac8471be9165c639456a1"
       }
     }
   },
   "Request Headers": {
     "postman-token": "d82b77c7-61b9-4a3d-a757-ceb35278515d",
     "cookie": "mtsnb_lastvisited=1712080253"
   },
   "Response Headers": {
     "server": "nginx",
     "date": "Wed, 03 Apr 2024 19:17:56 GMT",
     "content-type": "text/html",
     "content-length": "150",
     "connection": "close"
   },
   "Response Body": "<html>\r\n<head><title>400 Bad
 Request</title></head>\r\n<body>\r\n<center><h1>400 Bad
 Request</h1></center>\r\n<hr><center>nginx</center>\r\n</body>\r\n</html>\r\n"
 }
 }}}


 I’m currently using a tool that will not allow me to add the Host
 attribute in the header.  Why is this now being enforced, and is there
 another way to satisfy this request?

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/60911>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list