It seems that piwik does not automatically redirect to https.
Shouldn't that be done to increase safety? Protect the login credentials as well as all that sensitive user data...
Add force_ssl = 1 under [General] section of config.ini.php.
So, what's the reason that is not set by default?
many users don't have SSL on their servers unfortunately
What about adding an checkbox in install to enable ssl forcing? And if
piwik is installed using https we could check that option as default.
I understand that not everyone has SSL available.
That's why i titled if available.
The code to switch over IF AVAILABLE would be fairly easy i guess, looking at the gained security.
That's good point, reopening!
Current detection code is here: https://github.com/piwik/piwik/blob/master/core/FrontController.php#L516-L538
@sirtet how can you "detect" that, without performance lose?
Idea 1) Make a request with https and see if you have a valid response....
Idea 2) ???
how can you "detect" that, without performance lose?
No idea, i am not a coder, unfortunately.
I guess it needs to be detected only once, on install, and then force it.
Or are there any use-cases where someone explicitly wants to opt-out from security that is there, and use http instead of https?
The problem with detecting it once is that maybe it works today, but in 2 months the SSL will be broken. Redirecting to SSL would break Piwik in this case. But maybe it's acceptable for added security...
See also the related issue: https://github.com/piwik/piwik/issues/7366#issuecomment-215306266
Instead of detecting and redirecting to SSL, we should rather add a new system check to issue a warning when force_ssl is not used, this will help users work to enable SSL on their Piwik server (updated ticket title)