@daniel-lerch opened this Issue on February 12th 2022

I would like to have an option for Matomo only to count tracking requests send as POST.

Summary

The official HTTP standard specifies GET requests as safe. However, GET requests to the Matomo tracking API actually change the server state. The suitable request for this case is POST.

Surely there are many use cases for tracking where GET requests are absolutely necessary but especially for mobile apps it would be better to count only post requests to prevent counting bot visitors by virus scanners, etc. All websites which use the JavaScript tracker could also enable this restriction.

The option track only POST requests should be per site and Matomo could either return 200 OK and do nothing or return 405 Method Not Allowed when it receives a GET request to the tracking API.

Your Environment

  • Matomo Version: 4.7.1
  • PHP Version: 8.0.15
  • Server Operating System: Docker
  • Additionally installed plugins: MobileAppMeasurable
@bx80 commented on February 13th 2022 Contributor

Hi @daniel-lerch, thanks for contacting us.

There is an option available for the javascript tracker called setRequestMethod which will only send tracking requests as type POST. This can be added to the tracking code per site with _paq.push(["setRequestMethod", "POST"]); This should provide the behaviour you need, but if not let us know :slightly_smiling_face:

@daniel-lerch commented on February 14th 2022

@bx80 I actually thought about a server sided option which marks all GET requests as Bots and does not count them. If you do not want such an option to be added to Matomo, I will try to achieve that via NGINX configuration.

@sgiehl commented on February 14th 2022 Member

@daniel-lerch There are actually also downsides of using post requests only. Post won't contain the data when logged in the access log, which makes it impossible to replay the tracking if that would ever be required.
Nevertheless I agree that in some cases it might make sense to restrict the tracking to POST only.
I'm not sure if we will be adding that to Matomo core. Nevertheless it should be possible to implement that using a custom plugin.
I'll reopen the issue, so we can see if maybe more people would be interested in that.

@daniel-lerch commented on February 14th 2022

@sgiehl Logging is an important concern but as far as I understand Matomo's tracking API POST requests do not contain data in their request body as it is sent as query string like:

POST /matomo.php?idsite=1&rec=1&url=https%3A%2F%2Fexample.com HTTP/1.1
Content-Length: 0
...

In this case logs would contain all data and could be replayed. Is there another mode accepting form encoded data or JSON via POST that I am not aware of?

@sgiehl commented on February 14th 2022 Member

Actually there is both. You can send the tracking parameters as form encoded data or in case of bulk tracking it's send as json.
Both might be done by the javascript tracker.

Powered by GitHub Issue Mirror