diff options
| author | Stefan Giehl <stefan@matomo.org> | 2020-12-08 00:54:17 +0300 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-12-08 00:54:17 +0300 |
| commit | 0d979018ce23e8e0187dd435cc8de99fcf3c3585 (patch) | |
| tree | e06eb15fc0754475077fef3ad3e4da15232334cb /CHANGELOG.md | |
| parent | 28efeafae6c9540060f39a5e1f76b4da3ad6c8bc (diff) | |
Host detection: use HTTP_HOST as default, but provide a setting to use SERVER_NAME instead (#16899)
Diffstat (limited to 'CHANGELOG.md')
| -rw-r--r-- | CHANGELOG.md | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index 0a288597e3..f6ddad6d93 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -141,7 +141,6 @@ These are only recommendations (because we will keep backward compatibility for * When embedding reports (widgets) into a different site, it is no longer possible to use authentication tokens of users with at least write access, unless the `[General] enable_framed_allow_write_admin_token_auth` is set. This means if you currently rely on this functionality, you will need to update your matomo config when updating to Matomo 4. Alternatively, create a user with `view` access and use the token of this user to embed the report. * The log importer in `misc/log-analytics` now supports Python 3 (3.5, 3.6, 3.7 or 3.8), it will no longer run with Python 2. If you have any automated scripts that run the importer, you will have to change them to use the Python 3 executable instead. -* Matomo now uses the SERVER_NAME for host validation and no longer the HOST header. If you're running Matomo behind a load balancer or a proxy you need to ensure that SERVER_NAME is set correctly. * Deprecated `piwik` font was removed. Use `matomo` font instead * The JavaScript AjaxHelper does not longer support synchronous requests. All requests will be sent async instead. * The console option `--piwik-domain` has been removed. Use `--matomo-domain` instead @@ -159,6 +158,11 @@ These are only recommendations (because we will keep backward compatibility for * The Method `\DI\link()` has been removed. Use `\DI\get()` instead. * Defining global observer functions in config now requires the functions to be wrapped in `\DI\value()`, unless they are a factory. +### New config.ini.php settings + +* `host_validation_use_server_name = 0`, if set to 1, Matomo will prefer using SERVER_NAME variable over HTTP_HOST. This can add an additional layer of security, as SERVER_NAME can't be manipulated by sending custom host headers when configured correctly. + + ## Matomo 3.14.0 ### New API |