@SARAVANA1501 opened this Issue on June 17th 2020

We are hosting Matomo behind gateway service, which is capable of exposing part of matomo endpoint to internet. We need to authenticate every request by certain custom header. The token is available in website cookie which we are trying to track. Is it possible to add that token or key in every request made by matomojs?

@tsteur commented on June 17th 2020 Member

@SARAVANA1501 you mean in the JS tracking request (going eg to matomo.php endpoint?)

@SARAVANA1501 commented on June 17th 2020


@tsteur commented on June 17th 2020 Member

That's not possible just yet unless you manage to intercept these any XmlHttpRequest or maybe using service workers. Alternatively, you could create a PR that adds this feature.

@SARAVANA1501 commented on June 17th 2020

If provide a some technical detail to begin, I am glad to start.

@tsteur commented on June 17th 2020 Member

It's hard to give much technical detail there. Basically, you want to look at the js/piwik.js file.

Add some public method that can be called similar to how this.trackEvent = function (category, action, name, value, customData, callback) { is currently defined.

eg this.setCustomRequestHeader(name, value).

You'd store this in a say configCustomHeaders[name] = value.

These custom headers you would need apply to the method in sendPostRequestViaSendBeacon and sendXmlHttpRequest.

To have this working you would also need to force using POST requests by calling _paq.push(['setRequestMethod', 'POST']).

You would later configure the headers like _paq.push(['setCustomRequestHeader', 'name', 'value...']);

@Findus23 @mattab do we see any issues with allowing people to send custom headers? I suppose if there's an XSS on the site or ad blockers they could configure any random custom headers but I suppose they could also just send the XmlHttpRequest to the Matomo directly if they wanted in that case.

Wondering if this was maybe better done in a custom tracker plugin see https://developer.matomo.org/guides/enrich-js-tracker in which case I would give you different instructions @SARAVANA1501

@SARAVANA1501 commented on July 12th 2020

@Findus23 @mattab If you don’t see any issues with implementation, I will contribute to this.

@mattab commented on July 13th 2020 Member

@SARAVANA1501 sounds good, feel free to create a PR and we will review it eventually :+1: Also check to include automated tests in the file: https://github.com/matomo-org/matomo/blob/4.x-dev/tests/javascript/index.php. Thanks for your consideration!

@SARAVANA1501 commented on September 30th 2020

@tsteur What about _paq.push(['setCustomRequestHeader', 'name', 'value...']) implementation for scripts generated by tag manager?

@tsteur commented on September 30th 2020 Member

@SARAVANA1501 that could work to have this in the JS tracker. Not sure though what you mean by "for scripts generated by tag manager"?

@SARAVANA1501 commented on October 1st 2020

@tsteur While creating container in tag-manager, it is generating tracker js file. we have to configure page with container similar to below snippet


Is it possible to add similar "setCustomRequestHeader" function on these generated files?

@tsteur commented on October 1st 2020 Member

If it's added to the Matomo JS tracker in https://github.com/matomo-org/matomo/blob/4.x-dev/js/piwik.js then it will automatically also be included in the tag manager since the tag manager embeds the JS tracking code automatically.

Powered by GitHub Issue Mirror