Piwik tracking security


I’ve setup piwik and it works great but i wonder about tracking security. I’ve tested on 2 domains to track a site with the same Javascript tracking code, eg both have idSite 2.

In Piwik i’ve set only 1 domain in the URLs (eg domain1.tld) but it tracks pages from both domains.

Shouldn’t the tracker be protected by the URLs setting and above all shouldn’t the tracker be protected by server that can write to the piwik tracker?

Maybe it’s idea to introduce ip filter for the server the tracking is coming from and filter the tracking by URLs?


Sorry did not see this before, i think this has to be added asap;

(vipsoft) #3

There’s no way to authenticate the tracking site because the request is made from the visitor’s browser. #588 only makes it harder to misconfigure/spoof. All JavaScript trackers have this inherent weakness.

If you want to protect against spoofing, you’ll have to use the server-side tracker.


I wonder why Javascript is the default tracking method if it’s so insecure?

Shouldn’t the server side tracking be build into piwik by default with some documentation instead of only putting it on the piwik docs site?

And shouldn’t there be an option to disable the Javascript tracking from the console and/or config?

(vipsoft) #5

Server-side tracking shares many of the pros/cons of log file analysis.

(vipsoft) #6

p.s. the reason this isn’t a security issue is because the tracking is by idsite. One idsite could encompass multiple domains or subdomains.


What are the pros/cons of server side tracking? Isn’t this more reliable?

I don’t agree on the security issue, i would encounter a piwik tracked website i can copy the code including the idSite from the website and paste it in a fake website to generate a lot of fake traffic. This way i can make it look like the site has a lot of visitors. This is especially dangerous with internet ad/marketing company’s who sell their services to generate more traffic.

Maybe it’s an idea to make an php track communicator that resides on the server with the website that needs to be tracked, which holds a secure version of the idSite code (e.g. 92asdl#30as39). The piwik.js file sends it’s data to the php track communicator, which sends the data to the piwik tracking website. This would make it a lot harder to generate fake tracking data because the secure idSite code can’t be copied.

(vipsoft) #8

Your idea would be implemented using the PiwikTracker class for server-side tracking. Tracking API - Analytics Platform - Matomo


  • works even if user has javascript disabled or blocking known web trackers


  • more likely to counts bots
  • some widgets no longer contain visitor stats (e.g., browser plugins, screen dimensions, etc)


I’ve looked at the Tracking API but it indeed have these cons. Both Method 1 (image tracking) and method 2 (http request).

I think it would be great if there is a third method, Javascript tracking. This method would not have these cons and use a local php file to send the idSite to piwik.


Sorry, but i was thinking this doens’t make a difference because one could use the local php file to send bogus traffic to piwik. Maybe there’s another way…


It could be possible to let the piwik.php file check a file exists on the sending server, but this would generate a lot of traffic. This is the same way Google checks if your the site owner.

If not, it would be great if piwik filter the incoming URLs like i’ve configured in the website settings. Spoofable or not this prevents misconfiguration from my side. Why is this setting in Piwik if it doesn’t do anything by the way?

(vipsoft) #12

? There is no setting at the moment to filter tracking requests by domain. This is on the todo list.