What is the Trusted Host Check feature in Matomo?
The Trusted Host Check feature ensures that Matomo is only accessible through explicitly allowed hostnames. If Matomo is accessed from an untrusted domain, it will display a warning instead of processing the request. This helps prevent certain attack vectors, such as host header injection attacks.
Is this feature enabled by default?
Yes, Trusted Host Check is enabled by default to enhance security.
How are trusted hosts configured?
Trusted hosts are defined in Matomo’s configuration file: config/config.ini.php
Example configuration with multiple hosts:
trusted_hosts[] = example.org
trusted_hosts[] = example.com
During installation, Matomo automatically sets the hostname used at that time as the initial trusted host. After installation, additional trusted hosts can be configured in two ways:
-
In the Matomo user interface: Navigate to Administration Settings > System > General Settings > Trusted Matomo Hostname
-
Manually in
config/config.ini.php
What is this feature NOT for?
The Trusted Host Check does not restrict access based on the visitor’s origin. It does not limit connections to Matomo based on the visitor’s IP address or domain. Instead, it ensures that Matomo is only accessed using the correct hostnames, even if the web server responds to other domains.
For restricting access based on client location, consider server-level firewall rules or restricting access on IP level
How can I disable this check?
If necessary, this feature can be disabled by setting in config/config.ini.php:
enable_trusted_host_check = 0
Important: Disabling this check reduces security and is not recommended.
Conclusion
The Trusted Host Check helps secure your Matomo instance by preventing unauthorised access through unexpected domains. However, it does not control which users or networks can access Matomo — this should be handled with firewall rules or IP level access restrictions.
- Related Topic: Why am I getting a warning about an untrusted hostname.