Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

security ideas from 3rd party #9111

Closed
hpvd opened this issue Oct 28, 2015 · 1 comment
Closed

security ideas from 3rd party #9111

hpvd opened this issue Oct 28, 2015 · 1 comment
Labels
answered For when a question was asked and we referred to forum or answered it. c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.

Comments

@hpvd
Copy link

hpvd commented Oct 28, 2015

just found these ideas regarding optimisation of security of piwik.
Since these are very specific and not only general ones, we should be glad to got them for free and should really think about each single one:

  • do they fit to latest piwik version?
  • is there a good reasons why it's no good idea to follow them?
  • do we have better ideas?
  • open a new ticket for each accepted one.

here they are:
...............................................
...My suggestions to you are as follows:

  1. It seems some Piwik installations used to be ok some time ago but for some reasons (maybe changes/updates on a server) seem to get broken. In such situations, I would suggest to not reveal server information on the Piwik Admin website.

  2. In general, I would rather suggest storing such information in log-files instead of displaying them so that they can only be accessed with appropriate privileges.

  3. I would suggest to split/separate the API URL from the Admisistration and Statistics URL. That would also support the use of .htaccess protection to the Admin and/or Statistics part of Piwik.

  4. I would definitely recommend to add the noindex, nofollow metatags as mentioned in your blog but I would also suggest to place an initial robots.txt file on the webserver root if it doesn’t exist or add lines to it if it exists. Both at least hides Piwik from search engines (even though not all engines regard those but Google does and was the main source of my findings)

  5. If one or all of the above would be too difficult or not yet possible, at least place some big warnings in your setup documentation or setup UI (like you already do for other purposes)
    ...............................................
    source http://networktoolbox.de/again-about-piwik/
@mattab
Copy link
Member

mattab commented Dec 23, 2015

let's create separate issue for the security suggestions. Existing security issues are listed here: https://github.com/piwik/piwik/labels/c%3A%20Security

@mattab mattab closed this as completed Dec 23, 2015
@mattab mattab added c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. answered For when a question was asked and we referred to forum or answered it. labels Dec 23, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
answered For when a question was asked and we referred to forum or answered it. c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mattab @hpvd