Use HTTPS by default for connections to matomo.org (with working fallback to HTTP requiring super user edit the INI config) #19081
Labels
c: Documentation
For issues related to in-app product help messages, or to the Matomo knowledge base.
c: Security
For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.
Enhancement
For new feature suggestions that enhance Matomo's capabilities or add a new report, new API etc.
Major
Indicates the severity or impact or benefit of an issue is much higher than normal but not critical.
Milestone
Remaining steps
Initial issue
This applies to all api.matomo.org and plugins.matomo.org calls.
DONE First we add a new required system check showing to users if the connection over HTTPS works or not for these endpoints. If it doesn't work, then there should be an error shown explaining that we will soon switch to HTTPS by default. They should either make HTTPS work or disable HTTPS (see next item). We should mention the consequences of not fixing this issue (eventually won't receive any updates anymore big security issue for sure, and using HTTP is a minor security issue that someone could pretend there is no longer an update available)
We introduce a setting to force HTTP instead of HTTPS as some people won't be able to change their PHP either because the hoster doesn't allow it or because they aren't technical enough etc.
Create an FAQ about how to make HTTPS work or disable HTTPS and link to it in the system check error message in 1 above.
The text was updated successfully, but these errors were encountered: