default config: api_service_url to use https #8235
Labels
c: Security
For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.
Milestone
Comments
mattab
added
the
c: Security
11 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Current download of piwik 13.x comes along with global.ini.php including
This should be changed to https asap, because MITM could compromise the api output otherwise (keep in mind that the output is presented to user including links, update information etc.)
This issue (#1867) has already been discussed 5 years ago. Now that https-api is available for a long time you should default to it. We have 2015 now and attackers use every possibility they can find.
Via MITM, tt potentionally compromises all the nice automatic update, can be used for phishing attacks, ...
Users should be recommended to use https if they have overridden the global.ini.php default.
The text was updated successfully, but these errors were encountered: