Add ability to only allow tokens to be POSTed #235 #19234
Labels
duplicate
For issues that already existed in our issue tracker and were reported previously.
Milestone
Currently, users can pass the
token_auth
for the API using a GET or POST token. For better security, we should have an option to not accepttoken_auth
via URL parameters.Exception: This would only apply to API requests that aren't coming from the UI. That means if there is an API request that has the
force_api_session
parameter AND it is the session token_auth (not a regular token_auth), then it can be still in the URL if the API actions starts withget*
--> This might be already implemented, to be checked. This way for example the export in the UI still works nicely. Also for these requests it's less of a security issue if the token_auth appears in logs as they aren't usable without the session ID.How this feature could work:
From Matomo 6
The text was updated successfully, but these errors were encountered: