New setting force_ssl that will ensure that Piwik is only used over https SSL #2918

mattab opened this Issue Feb 11, 2012 · 2 comments

1 participant

Piwik Open Source Analytics member

Currently, there is a setting force_ssl_login that forces the login details to be submitted over https.

However, since the token_auth is confidential, and sometimes passed in URLs (API requests, ajax requests done in the admin screens, etc.) it is desired to have a setting that would ensure that Piwik can ONLY be used over SSL.

  • when force_ssl=1 then all requests will be redirected to the https:// URL.
  • Expected: If SSL is not properly configured then Piwik will NOT work. User can edit the config file to set force_ssl = 0 to re-enable piwik in this case.
  • This setting is different from assume_secure_protocol
  • Also, update the How to setup secure server guide with this new setting recommendation.
Piwik Open Source Analytics member

(In [5815]) Fixes #2918

  • Adding new setting force_ssl that will automatically redirect all http:// requests to the https:// equivalent. This ensures better security for the piwik server, since the token_auth is often found in the response body or in the GET parameters.
Piwik Open Source Analytics member
@mattab mattab added this to the 1.7 Piwik 1.7 milestone Jul 8, 2014
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment