@tsteur opened this Issue on April 20th 2020 Member

This would better protect the token_auth and same would apply for app specific tokens and tracking requests.

It probably wouldn't apply to the temporary token_auth used in the API which is bound to a session (in Matomo 4) so features like export should still work.

I guess limiting to HTTPS requests only would probably already work by forcing HTTPS. The improvement be basically mostly that it guarantees the token doesn't end up in access logs.

Powered by GitHub Issue Mirror