I’ve got a need to add a custom HTTP header to all requests sent by the Piwik client. This will be used to provide authentication information to a Piwik proxy. I know there’s a way to add a header for Content-Type but I don’t see any way to add an arbitrary custom request header. Is there a way to do this that I’m overlooking?
I don’t know about your setup, but wouldn’t the easiest solution be adding the header at the webserver (nginx/Apache)?
Unfortunately not. The header needs to be inserted at the client as the web server is there to prevent traffic from reaching the piwik server if the header is not present.
I’m quite sure this would need a deep hack into the the tracker call, to add request headers.
Additionally, please take note, that request headers, if not randomly generated or added at server level, are not a secure way to prevent against unwanted traffic. Someone could just look at the call in the dev tools and afterwards craft an simple attack with that information.
Ah, I missed, that you need the header on browser requests.
In this case you will need to modify piwik.js:
But as @fdellwing mentioned: This doesn’t add any security.
The header carries a short-lived auth token (similar to a session cookie) that is server-generated. The token is then verified by the server before allowing traffic to pass to piwik. So, essentially the same thing as session-based auth.
Right, I’ve looked at the code and I know I could modify piwik.js to do this. But that will cause issues down the road when we upgrade to a newer version of piwik. I assume that there are no plans to add this to piwik in the near future? Maybe a patch submission is in order.