Why am I getting a warning about an untrusted hostname? FAQ - Troubleshooting - Matomo Analytics Platform

Most of the time this warning is displayed, just after you have just migrated Matomo (Piwik) to a new URL or server, and the new hostname you use will not be the same as the stored one. In this case, ask your Matomo Administrator to update the Matomo Hostname in Administration > General Settings.

(for geeks only) How does this message improve security?

This warning is a security feature Matomo provides to make Matomo more robust and prevent the so-called “Host Injection” vulnerability. Attackers could try to send fake hostnames to Matomo in an attempt to get users to reset their password through an attacker’s server. If users do that, the attacker could gain access to Matomo. Matomo protects against this type of attack by storing a list of trusted hostnames and checking if the ‘Host’ HTTP header in any request is in this list. If it doesn’t match, we show you a warning.

You can also disable the trusted host security check if for some reason you get this warning a lot, for example if you use Matomo with a changing set of hostnames. To do so,edit your config/config.ini.php and add the following below [General]

[General]
enable_trusted_host_check=0

This feature was developed as a “Security Best Practise”, following a suggestion by a security researcher working with Matomo through our Security Research program.

Previous FAQ: Graphs in PDF/HTML reports and/or Matomo Mobile do not display characters correctly in my language (display squares instead).