I would like to have an option for Matomo only to count tracking requests send as POST
.
The official HTTP standard specifies GET
requests as safe. However, GET
requests to the Matomo tracking API actually change the server state. The suitable request for this case is POST
.
Surely there are many use cases for tracking where GET
requests are absolutely necessary but especially for mobile apps it would be better to count only post requests to prevent counting bot visitors by virus scanners, etc. All websites which use the JavaScript tracker could also enable this restriction.
The option track only POST requests should be per site and Matomo could either return 200 OK
and do nothing or return 405 Method Not Allowed
when it receives a GET
request to the tracking API.
Hi @daniel-lerch, thanks for contacting us.
There is an option available for the javascript tracker called setRequestMethod
which will only send tracking requests as type POST
. This can be added to the tracking code per site with _paq.push(["setRequestMethod", "POST"]);
This should provide the behaviour you need, but if not let us know :slightly_smiling_face:
@bx80 I actually thought about a server sided option which marks all GET requests as Bots and does not count them. If you do not want such an option to be added to Matomo, I will try to achieve that via NGINX configuration.
@daniel-lerch There are actually also downsides of using post requests only. Post won't contain the data when logged in the access log, which makes it impossible to replay the tracking if that would ever be required.
Nevertheless I agree that in some cases it might make sense to restrict the tracking to POST only.
I'm not sure if we will be adding that to Matomo core. Nevertheless it should be possible to implement that using a custom plugin.
I'll reopen the issue, so we can see if maybe more people would be interested in that.
@sgiehl Logging is an important concern but as far as I understand Matomo's tracking API POST requests do not contain data in their request body as it is sent as query string like:
POST /matomo.php?idsite=1&rec=1&url=https%3A%2F%2Fexample.com HTTP/1.1
Content-Length: 0
...
In this case logs would contain all data and could be replayed. Is there another mode accepting form encoded data or JSON via POST that I am not aware of?