How do I configure Matomo when mod_security (or CA SiteMinder) is enabled?
Unfortunately, Matomo (Piwik) is not compatible with the Apache web server module mod_security
nor with CA SiteMinder. If your web host uses mod_security to block requests containing URLs (eg. hosts like HostGator, The Planet), you should contact your provider to have your Matomo application whitelisted and have mod_security disabled for Matomo.
With mod_security (or CA SiteMinder) is enabled Matomo will look like it works but these security modules create major bugs in Matomo, including major data loss as requests are mistakenly discarded by the server! For more information, see this ticket on Matomo issue tracker.
If you are using Plesk, see our guide on how to install Matomo on Plesk which includes a section on how to Disable Web Application Firewall (ModSecurity).
Some of the error messages you may see in Apache error log when using mod_security include client denied by server configuration:
. When the other tool CA Siteminder is enabled, you may get: Due to the presence of characters known to be used in Cross Site Scripting attacks, access is forbidden. This web site does not allow Urls which might include embedded HTML tags.
.