Does it make sense to use a nonce on an AJAX action that only returns data and doesn’t alter data on the server side? I understand they are important if you are saving data or changing something on the server but if you are just receiving data like a post or metadata, is a nonce really needed?
1 Answer
No, it is not needed. If you want to show the data to some users only, you can use current_user_can( 'some_capability' ) to restrict the access.