Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

New setting force_ssl that will ensure that Piwik is only used over https SSL #2918

Closed
mattab opened this Issue · 2 comments

1 participant

@mattab
Owner

Currently, there is a setting force_ssl_login that forces the login details to be submitted over https.

However, since the token_auth is confidential, and sometimes passed in URLs (API requests, ajax requests done in the admin screens, etc.) it is desired to have a setting that would ensure that Piwik can ONLY be used over SSL.

  • when force_ssl=1 then all requests will be redirected to the https:// URL.
  • Expected: If SSL is not properly configured then Piwik will NOT work. User can edit the config file to set force_ssl = 0 to re-enable piwik in this case.
  • This setting is different from assume_secure_protocol
  • Also, update the How to setup secure server guide with this new setting recommendation.
@mattab
Owner

(In [5815]) Fixes #2918

  • Adding new setting force_ssl that will automatically redirect all http:// requests to the https:// equivalent. This ensures better security for the piwik server, since the token_auth is often found in the response body or in the GET parameters.
@mattab mattab added this to the 1.7 Piwik 1.7 milestone
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.