How do I configure my Matomo server to allow cross domain requests? (CORS)

Matomo is an analytics platform that collects data through the Tracking API and provides reports through the Analytics API. In some cases, you may need to access this data from other domains, for example with cross-domain Ajax (XMLHttpRequest) calls.

By default, browsers implement the same-origin policy, which prevents browsers from directly requesting data from other domains. Modern web browsers allow developers to perform cross-domain requests: the server must allow cross-domain requests by responding to the request with the Access-Control-Allow-Origin header set to a value that includes the domain of the requesting code, for example Access-Control-Allow-Origin: https://example.com.

This guide explains how to configure CORS in Matomo safely as misconfiguration can introduce security risks, particularly if CORS is enabled for all domains.

  1. You can set your domain names for CORS in the Matomo user interface by going to Matomo settings (Administration) Settings Cog Icon > System > General settings.
    matomo cors setting
  2. Alternatively, you can set the domains in the config.ini.php file. For example, to permit cross-domain requests from http://example.com and http://dashboard.example.com, add the following: 
[General]
cors_domains[] = "http://example.com"
cors_domains[] = "http://dashboard.example.com"

Security notes

Using a wildcard (*) for CORS in Matomo is not recommended. The only exception is a fully controlled, trusted environment where all subdomains are secure. In all other cases, you should explicitly configure only the trusted domains that require access.

  • Setting cors_domains[] = * in config.ini.php or in the Matomo user interface exposes tracking data, and makes the Matomo Administration and Analytics API accessible from any website.
  • When cors_domains[] = * is enabled, Matomo copies the request origin into the Access-Control-Allow-Origin header and always includes Access-Control-Allow-Credentials: true. This means that a malicious site on another subdomain of the same root domain could perform authenticated API requests in the browser of a logged-in user.
  • In environments where SameSite cookie protections are not enforced, this risk can extend to completely unrelated domains and will depend on the permissions of the logged-in account. However, in the worst case scenario, it can result in an account compromise.

Heatmaps & Session Recordings

If you use the Heatmaps & Session Recordings plugin, your website (where the tracking code is installed) may also need to send an Access-Control-Allow-Origin header. In this case, configure the header on your web server only for the Matomo domain(s) that require access. Do not use a wildcard (*).

Read more about Cross-Origin Resource Sharing (CORS).