The security check fails, but security files have been generated.
We found that the above URLs are accessible via the browser, but they should NOT be. Allowing them to be accessed can pose a potential security risk since the contents can provide information about your server and potentially your users. Please restrict access to them.
We also found that Matomo's config directory is publicly accessible. While attackers can't read the config now, if your webserver stops executing PHP files for some reason, your MySQL credentials and other information will be available to anyone. Please check your webserver config and deny access to this directory.
If I run ./console diagnostics:run I get "Unable to test if mod_pagespeed is enabled: the request to http://unknown/./console?module" what seems to be a known bug since 2017. No idea how to solve this.
@alexhass the mod_pagespeed log can be ignored in this case. You might just want to manually check if mod_pagespeed is enabled or not.
If I understand correctly then some of the URLs are accessible via the browser, but they should NOT be. Which web browser are you using?
I habe an apache2 machine on debian9. I used the linked article to fix the issue, but it seems not working. Htaccess is allowed to change all settings. I guess your permission files are not working well.
Hi @alexhass we haven't had any problems there otherwise in the past and it seems to work in general. Can you check
.htaccessfiles were actually created? Like does eg
mod_authis not enabled.
Same here. I use Matomo within Docker and the
.htaccess files have been created. But still the security check fails.
If I try to access these paths with my browser I get an 403.
Why does the security check doesn't recognize the 403 status code?