Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

set noindex,nofollow option for all pages apart from login page #8058

Merged
merged 1 commit into from Jun 8, 2015
Merged

Conversation

tsteur
Copy link
Member

@tsteur tsteur commented Jun 8, 2015

fixes #6552

I tried to write a UI test to check for meta tags but failed after 2 hours. Eg I couldn't make the Installation tests working on my local server since the fixture installation fails and I couldn't write an assert for selectors.

I reckon it would be okay without tests but if someone wants to have tests I will go back to this.

@tsteur tsteur added not-in-changelog For issues or pull requests that should not be included in our release changelog on matomo.org. Needs Review PRs that need a code review labels Jun 8, 2015
mattab pushed a commit that referenced this pull request Jun 8, 2015
set noindex,nofollow option for all pages apart from login page
@mattab mattab merged commit 51ab955 into master Jun 8, 2015
@mattab mattab added this to the 2.14.0 milestone Jun 8, 2015
mattab added a commit that referenced this pull request Jun 8, 2015
@tsteur tsteur deleted the 6552 branch June 13, 2015 22:48
@hpvd
Copy link

hpvd commented Oct 28, 2015

as commented in #6552:

just wanted comment on mattabs comment above:
"it's good to index the login pages of Piwik (for example they link to piwik.org)"

of course from seo point of view (backlinks) I could understand that.

From security point of view an easy to find login page is not that great.
One could e.g. easily do the following thing - FULLY AUTOMATED:

  1. search for login page
  2. start brute force attack
  3. when you are successful: look for ecommerce
  4. extract /download everything
  5. make a database of ecommerce data
  6. sell it to everyone (competitors)

on other systems their is a great effort to hide login page with the following:

  • of course for every visitor: noindex, no follow, no archive
  • have a possibility to easily change login url within the backend

so I would strongly vote for noindex, no follow, no archive also for login page

@hpvd
Copy link

hpvd commented Oct 28, 2015

other impact possibilities for non ecommerce sites:
some piwik users set visitor names similar to these used in their forum..
so the steps are the following:

  1. search for piwik login page
  2. start brute force attack
  3. when you are successful: look for uncommon visitor names
  4. extract /download the names (e.g. from visitorlog)
  5. make a database of these
  6. go to forum page
  7. use again brute force to got in with several with several usernames
  8. spam forum...

so not only ecommerce sites may be are affected

@tsteur
Copy link
Member Author

tsteur commented Oct 28, 2015

👍 maybe create a new issue for this? The privacy of users should be above possible benefits for Piwik (and the benefits are not even very clear if it is a clear benefit since couple of people say it's not that much of a benefit anymore)

@wishsimply
Copy link

Hmm.. could you @tsteur open the new issue ? I am a bit confused that why login page should be left out, and why this has not been already implemented as there has been requests for it since 2009 (https://forum.matomo.org/t/exclude-piwik-from-being-indexed-by-search-engines/363) and also other issue (#6552 ) since 2014 with commits for it, and you have been already testing it.

Or can you reopen this or the other issue (6552) ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Needs Review PRs that need a code review not-in-changelog For issues or pull requests that should not be included in our release changelog on matomo.org.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

4 participants