Outbound API/Plugin URL using HTTP instead of HTTPS can cause application blocking #19735
Labels
c: Security
For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.
Milestone
We have a Matomo user that has configured their servers to block outbound requests that are sent over port 80 because they want to completely prevent insecure connections from being made.
When this port is blocked, several issues occur:
I found one example of where the HTTP hostname is defined instead of the HTTPS hostname:
https://github.com/matomo-org/matomo/blob/4.x-dev/plugins/Marketplace/config/config.php#L9
Potential solutions:
But in either case, the timeout seems quite high for a failed connection at 60 seconds, which means that each time that page or a page that checks an external hostname is accessed, the Matomo UI would take a minimum of 1 minute to load. It would be good if this timeout was reduced to at least not block the page from loading for such a long time.
The text was updated successfully, but these errors were encountered: