Currently we recommend to make the matomo.js tracker file writable by the web server user, otherwise we display a warning in "Diagnostics":

The Matomo JavaScript tracker file "/matomo.js" & "/piwik.js" is not writable which means other plugins cannot extend the JavaScript tracker. In the future even some core features might not work as expected. We recommend to make "/matomo.js" & "/piwik.js" writable by running this command:

As reported in matomo-org/matomo-package#109 having core Matomo files as read-only would be a plus for security for some users. In particular, when the same server hosts other apps and one of these other apps gets attacked, then at least the attacker wouldn't be able to serve malicious JS via Matomo.

It can actually already be implemented by following these steps:

• make the file non writable by the webserver user (which will trigger the warning in diagnostics)
• but make the file writable by the crontab user
• setup a crontab to run every hour that will execute the command: php path/to/matomo console custom-matomo-js:update <- this crontab will re-generate the matomo.js tracker file when needed (for example after upgrading plugins that define a JS tracker file, or after installing a new plugin that has a tracker js file).

So maybe what we could do to eventually "solve" this issue would be to:

• Document this possible security enhancement in a FAQ and maybe mention it in https://matomo.org/docs/security/
• Update the logic in the diagnostic and do not issue a Warning, when the tracker JS file is not writable but was recently modified (eg. less than 2 hours ago) which would indicate that the steps above were implemented?