security ideas from 3rd party #9111
Labels
answered
For when a question was asked and we referred to forum or answered it.
c: Security
For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.
just found these ideas regarding optimisation of security of piwik.
Since these are very specific and not only general ones, we should be glad to got them for free and should really think about each single one:
here they are:
...............................................
...My suggestions to you are as follows:
It seems some Piwik installations used to be ok some time ago but for some reasons (maybe changes/updates on a server) seem to get broken. In such situations, I would suggest to not reveal server information on the Piwik Admin website.
In general, I would rather suggest storing such information in log-files instead of displaying them so that they can only be accessed with appropriate privileges.
I would suggest to split/separate the API URL from the Admisistration and Statistics URL. That would also support the use of .htaccess protection to the Admin and/or Statistics part of Piwik.
I would definitely recommend to add the noindex, nofollow metatags as mentioned in your blog but I would also suggest to place an initial robots.txt file on the webserver root if it doesn’t exist or add lines to it if it exists. Both at least hides Piwik from search engines (even though not all engines regard those but Google does and was the main source of my findings)
If one or all of the above would be too difficult or not yet possible, at least place some big warnings in your setup documentation or setup UI (like you already do for other purposes)
...............................................
source http://networktoolbox.de/again-about-piwik/
The text was updated successfully, but these errors were encountered: