@justinvelluppillai opened this Issue on April 12th 2022 Member

This applies to all api.matomo.org and plugins.matomo.org calls.

  1. First we add a new required system check showing to users if the connection over HTTPS works or not for these endpoints. If it doesn't work, then there should be an error shown explaining that we will soon switch to HTTPS by default. They should either make HTTPS work or disable HTTPS (see next item). We should mention the consequences of not fixing this issue (eventually won't receive any updates anymore big security issue for sure, and using HTTP is a minor security issue that someone could pretend there is no longer an update available)

  2. We introduce a setting to force HTTP instead of HTTPS as some people won't be able to change their PHP either because the hoster doesn't allow it or because they aren't technical enough etc.

  3. Create an FAQ about how to make HTTPS work or disable HTTPS and link to it in the system check error message in 1 above.

@justinvelluppillai commented on May 17th 2022 Member

@peterhashair did number 3 get done also regarding creating or updating the FAQs? Be good to link to that in this issue for completeness when done.

@peterhashair commented on July 12th 2022 Contributor
@peterhashair commented on July 14th 2022 Contributor

reopen this issue, as we discussed, not to force users to use HTTPS at this stage, only a warning message. In the next stage we will force HTTPS connections. Ref Here: https://github.com/matomo-org/matomo-security/issues/195

@sgiehl commented on August 1st 2022 Member

removing from 4.11. milestone, as the remaining tasks will be solved in a later verion.

Powered by GitHub Issue Mirror