In Personal settings page and API page, only show the full token_auth value on the screen after the user clicked #10939
Labels
c: Security
For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.
Milestone
To prevent API token authentication data leakage during screen sharing, or via screenshot, or when someone looks over shoulder, we will always display only the first few characters of the
token_auth
on the screen and only display the full value oftoken_auth
after the user has specifically clicked on it.Click to show the full token_auth
or sopiwik-select-on-focus
).This will improve security and complements well our recent security improvement: Do not show token_auth of other users to a Super User #10938
The text was updated successfully, but these errors were encountered: