Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add new feature to allow token_auth only in POST and HTTPS requests #15833

Open
tsteur opened this issue Apr 20, 2020 · 0 comments
Open

Add new feature to allow token_auth only in POST and HTTPS requests #15833

tsteur opened this issue Apr 20, 2020 · 0 comments
Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.
Milestone
For Prioritization

Comments

@tsteur
Copy link
Member

tsteur commented Apr 20, 2020

This would better protect the token_auth and same would apply for app specific tokens and tracking requests.

It probably wouldn't apply to the temporary token_auth used in the API which is bound to a session (in Matomo 4) so features like export should still work.

I guess limiting to HTTPS requests only would probably already work by forcing HTTPS. The improvement be basically mostly that it guarantees the token doesn't end up in access logs.
@tsteur tsteur added the c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. label Apr 20, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.
Projects
None yet
Milestone
For Prioritization
Development

No branches or pull requests
2 participants
@tsteur @innocraft-automation