Headless WordPress gives you performance and modern UX, but preview is where teams often break the security model. The common failure is simple: making WordPress publicly reachable “just for previews”. That turns your CMS into a permanent attack surface.
The Threat Model (What We Must Prevent)
- Public WP exposure (wp-login, xmlrpc, plugins) from the internet.
- Preview URL leakage (Slack, email forwards, browser history).
- Token replay (stolen preview token used later or by other users).
- Cache poisoning (edge caches storing preview content for public users).
Recommended Architecture
Use a dedicated Preview Gateway (your app backend) that mints short-lived preview tokens. The frontend renders preview pages only when presented with a valid token and a verified session.
Editor → WP Admin (private)
WP emits "Preview request" → Preview Gateway (public)
Gateway issues signed token (TTL + scope)
Frontend uses token to fetch draft via Gateway
Gateway talks to WP over private network
Signed Preview Tokens (Short-Lived + Scoped)
Treat preview tokens like a security credential. Make them: short TTL (5–15 minutes), single-purpose (post ID + revision), and ideally bound to editor identity.
// JWT claims example
{
"sub": "editor_user_id",
"postId": 1234,
"rev": "draft|revision_id",
"aud": "preview",
"exp": 1735070400,
"nonce": "random"
}Prevent Preview From Being Cached Publicly
- Set Cache-Control: private, no-store for preview responses.
- Add Vary: Authorization when using auth headers.
- If you must cache, cache inside authenticated layer only, keyed by token hash.
Hardening Checklist (Real-World)
- WP network isolation: private subnet or VPN-only.
- Gateway allowlist: only your gateway can reach WP APIs.
- Nonce + replay guard: store used tokens/nonce for TTL window.
- Audit logs: token issued, token used, postId, editorId.
- Rate limiting: preview endpoint per editor session/IP.
Why This Converts (SEO + Sales)
High-intent queries like “headless wordpress preview”, “secure preview environment”, and “wordpress attack surface” are exactly what enterprise teams search for. This article proves you ship headless systems that are fast and defensible.
