Piwik: Difference between revisions
No edit summary |
No edit summary |
||
| Line 4: | Line 4: | ||
=Security Concerns= | =Security Concerns= | ||
When first implemented in 2017, Piwik appears to be the best self-hosted GA alternative. That said, it is not without issues. Specifically, we found many eyebrow-rasising red flags about the project's security history & practices. | |||
Note: In the end, piwik is not a publicly accessible service. As such, the usual concerns (SQL Injection, XSS attacks, etc) are moot if the service runs behind http basic auth. Therefore, we use Piwik on "basic auth lockdown" until a better option is available. | |||
Here are some of the security concerns we discovered in the Piwik project: | |||
=Install= | =Install= | ||
Revision as of 21:42, 16 September 2017
Why
Piwik is a self-hosted alternative to Google Analytics (GA). Unlike GA, Piwik is FOSS and can be self-hosted, so we're not dependent on sending (sensitive user's) data to an external service provider.
Security Concerns
When first implemented in 2017, Piwik appears to be the best self-hosted GA alternative. That said, it is not without issues. Specifically, we found many eyebrow-rasising red flags about the project's security history & practices.
Note: In the end, piwik is not a publicly accessible service. As such, the usual concerns (SQL Injection, XSS attacks, etc) are moot if the service runs behind http basic auth. Therefore, we use Piwik on "basic auth lockdown" until a better option is available.
Here are some of the security concerns we discovered in the Piwik project: