Opened 2 years ago

Closed 2 years ago

Last modified 2 years ago

#2918 closed New feature (fixed)

New setting force_ssl that will ensure that Piwik is only used over https SSL

Reported by: matt Owned by:
Priority: major Milestone: 1.7 Piwik 1.7
Component: Core Keywords:
Cc: Sensitive: no

Description

Currently, there is a setting force_ssl_login that forces the login details to be submitted over https.

However, since the token_auth is confidential, and sometimes passed in URLs (API requests, ajax requests done in the admin screens, etc.) it is desired to have a setting that would ensure that Piwik can ONLY be used over SSL.

  • when force_ssl=1 then all requests will be redirected to the https:// URL.
  • Expected: If SSL is not properly configured then Piwik will NOT work. User can edit the config file to set force_ssl = 0 to re-enable piwik in this case.
  • This setting is different from assume_secure_protocol
  • Also, update the How to setup secure server guide with this new setting recommendation.

Change History (3)

comment:1 Changed 2 years ago by matt (mattab)

  • Resolution set to fixed
  • Status changed from new to closed

(In [5815]) Fixes #2918

  • Adding new setting force_ssl that will automatically redirect all http:// requests to the https:// equivalent. This ensures better security for the piwik server, since the token_auth is often found in the response body or in the GET parameters.

comment:3 Changed 2 years ago by matt (mattab)

  • Priority changed from normal to major
Note: See TracTickets for help on using tickets.