How do I force Matomo to use SSL (https) for improved security?
Configuring Matomo (Piwik) so that all requests are made over SSL (https://) is an easy way to improve security and keep your data safer. To ensure that logins, passwords and the token_auth are not sent in the clear, you can manually set a config file setting.
Important Note: Enabling SSL (https://) in Matomo without first ensuring that you can load Matomo over SSL may cause Matomo to not be accessible.
First ensure that you can load Matomo over SSL by replacing http:// with https:// and testing to see if the page can load. For example: https://yourserver.com/matomo/index.php or https://matomo.yourserver.com
We also recommend you use a valid SSL certificate. If you use NGINX web server, you likely need to add the following line to your nginx config: fastcgi_param HTTPS $https if_not_empty;
.
-
Once you have confirmed that you can load Matomo over SSL, install the plugin ForceSSL from the Marketplace. Learn more about how to install a plugin in Matomo.
-
Or alternatively, you can also edit your config/config.ini.php file, and add the following under the
[General]
section, set the following:[General] force_ssl = 1
Matomo will then automatically redirect all http:// requests to route to the https:// equivalent. Learn more tips about how to secure Matomo.
If for some reasons you need to disable the “Force SSL” feature, simply remove force_ssl=1
from your config.ini.php file.
Note
Configuration settings that are boolean (true or false), should be set to either 0 or 1. Anything else is a misconfiguration, although technically true and false also work. In the future if a configuration setting is anything else, a warning may be issued as it could have unintended effects.