Werk #14261: Manual enablement of login using HTTP GET to avoid unintentional leakage of user credentials in Apache's access logs

Component Setup
Title Manual enablement of login using HTTP GET to avoid unintentional leakage of user credentials in Apache's access logs
Date Jun 28, 2022
Level Trivial Change
Class Security Fix
Compatibility Incompatible - Manual interaction might be required
Checkmk versions & editions
2.2.0b1
Not yet released
Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.2.0b1
Not yet released
Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.2.0b1 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)

Using GET requests to login.py means that the credentials supplied in the query parameters will appear in the site's Apache logs. To avoid unintentional leakage of such credentials, we by default block login attempts via the GET method.

If you used the GET method to, for example, export the data of views and dashboards in formats such as JSON, you can make use of the automation user as described in documentation article. For example, to display the view allhosts in JSON format, you can issue requests like this one curl -X GET 'http://localhost/heute/check_mk/view.py?_username=automation&_secret=[automation_secret]&view_name=allhosts&output_format=json'.

However, if you still need to use the GET method to login to WATO, you can manually enable this method as follows:

In the WATO interface, go to Setup > Global Settings > User interface, and switch on the Enable login via GET requests property.

To the list of all Werks