Opened 2 years ago

Closed 2 years ago

#3016 closed Bug (fixed)

Discourage the use of the config setting tracking_requests_require_authentication=0

Reported by: matt Owned by:
Priority: normal Milestone: 1.12.x - Piwik 1.12.x
Component: Core Keywords:
Cc: Sensitive: no

Description

WE should make it clear that tracking_requests_require_authentication should not be used on public facing Piwik servers. It would allow anyone to push data with a custom date in the past or future, or create artificial visits using custom IPs. This is a security issue to use this setting on publicly available servers.

Change History (1)

comment:1 Changed 2 years ago by matt (mattab)

  • Resolution set to fixed
  • Status changed from new to closed

(In [5978]) Fixes #3016
Clarify in the doc that tracking_requests_require_authentication should not be used on public facing Piwik servers since it would allow anyone to push data in the past, future, or with custom IP, which is a security concern

Note: See TracTickets for help on using tickets.