[thomasbf]

Was offline for a week and finally found some time to give it a try. I used the coding below to use HTTP_X_FORWARDED_HOST if it’s provided for function bhp_verify_nonce_request, so I do not skip any checks this way.


function bbp_verify_nonce_request( $action = '', $query_arg = '_wpnonce' ) {

// Get the home URL
$home_url = strtolower( home_url() );

// Build the currently requested URL
$scheme = is_ssl() ? 'https://' : 'http://';
$request_host = $_SERVER["HTTP_X_FORWARDED_HOST"]? $_SERVER["HTTP_X_FORWARDED_HOST"] : $_SERVER["HTTP_HOST"];
$requested_url = strtolower( $scheme . $request_host . $_SERVER['REQUEST_URI'] );

// Check the nonce
$result = isset( $_REQUEST[$query_arg] ) ? wp_verify_nonce( $_REQUEST[$query_arg], $action ) : false;

// Nonce check failed
if ( empty( $result ) || empty( $action ) || ( strpos( $requested_url, $home_url ) !== 0 ) )
$result = false;

// Do extra things
do_action( 'bbp_verify_nonce_request', $action, $result );

return $result;
}


[thomasbf]

Thanks so much for your kind advice.
Solving it on the proxy host as proposed by @zaerl is most likely the best way, however reverse proxy is running on a shared web hoster system, and I just have a web-Interface to enter the forward address. I’ll check, but maybe it’s not possible to apply the parameters suggested by @zaerl.
Maybe there is a chance HTTP_X_FORWARDED_HOST is set, then I could use
something like this(??):

$_SERVER["HTTP_X_FORWARDED_HOST"]? $_SERVER["HTTP_X_FORWARDED_HOST"] : $_SERVER["HTTP_HOST"]

(sorry if this is wrong syntax, but I don’t know PHP)
I’ll have a look at 2.2 once it ‘s released. Maybe this also helpful.
BTW: Is a nonce check not usually using a cryptographic hash (token). I wonder here you just check HTTP-Header attributes?Is this a strong check?