how to make matomo.js tracker file not writable by the web server user for better security #16060
Labels
c: Security
For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.
Milestone
Currently we recommend to make the matomo.js tracker file writable by the web server user, otherwise we display a warning in "Diagnostics":
As reported in matomo-org/matomo-package#109 having core Matomo files as read-only would be a plus for security for some users. In particular, when the same server hosts other apps and one of these other apps gets attacked, then at least the attacker wouldn't be able to serve malicious JS via Matomo.
It can actually already be implemented by following these steps:
php path/to/matomo console custom-matomo-js:update
<- this crontab will re-generate the matomo.js tracker file when needed (for example after upgrading plugins that define a JS tracker file, or after installing a new plugin that has a tracker js file).So maybe what we could do to eventually "solve" this issue would be to:
The text was updated successfully, but these errors were encountered: