The goal of this issue is to make sure most users will use Matomo over SSL all the time. Using SSL is very important and we need to remind users they should have it enabled by default.
These days It is basically required to run Matomo over SSL for anyone using Matomo seriously. This will also help users achieve GDPR compliance #12600 as it's essential to use HTTPS for Matomo and GDPR compliance.
We are doing some work also in other issues:
- New system check to #7279 Warn users if force_ssl is not yet enabled and in
- #7366 Tracking code could use HTTPS when the Piwik server is configured to force SSL connections
Here the proposed solution is that during installation (maybe even in the very first screen?) we would display a new checkbox "[x] Use HTTPS for secure data transfer with Matomo"
- if user is already using HTTPS, then auto-tick the box
- if user is using HTTP, we could maybe check and issue an HTTPS connection to check the index.php or the API replies correctly. If the HTTPS response is good, then we could also auto-tick the box.
- if the HTTPS check didn't pass, we could display a message "Warning: please configure your Matomo instance so that connections succeed over HTTPS at https://example.com/ \n In case you do not yet "
have a SSL certificate for your domain, we recommend to use (or ask your technical team) Let's encrypt to generate free SSL certificates".
initially suggested by @sgiehl in https://github.com/matomo-org/matomo/issues/7279#issuecomment-75618484