When included in an IFrame, Matomo reports do not load. How do I allow Matomo reports to load from within an iframe?
By default, for security reasons, Matomo (Piwik) prevents standard pages and reports to be included in an iframe.
If you try to include Matomo pages as Iframe you will likely get the error Refused to display ‘https://example.com/’ in a frame because it set ‘X-Frame-Options’ to ‘deny’.
.
Use Widgets to embed Matomo in an iframe
To include your Matomo Analytics reports in your website or app or dashboard, using an iframe, we recommend you use the “Widgets” feature (Widgetize).
Not recommended: enable iframing Matomo app
The Widgets feature lets you embed in an iframe all Matomo reports. But sometimes you need to let your users also manage Matomo (for example, create new goals, funnels, dimensions, etc.) and you want to embed the Matomo app in an iframe. We don’t recommend embedding the whole Matomo app in an iframe for security reasons.
This is not recommended because:
- it exposes your users to risks of Clickjacking
- if you add a
token_auth
in the URL, it would then appear in server access logs, and this could includetoken_auth
of admin or super users. - several people might be using the same “iframe” embed code with the same
token_auth
which would make it impossible to know who did what (since they’d all be logged in as the same user)
But if you really wish to go ahead knowing there are serious security risks, and when existing Widgets are not enough for your needs, you can edit your config/config.ini.php
under the category [General]
add the following line:
[General]
enable_framed_pages=1
If you also wish to enable the “Settings” pages (Manage websites, Users, etc.) to load in an iframe, you can also add the setting:
enable_framed_settings=1
And if you are using Matomo 4 or above, and want to be able to use token_auths of users with write or admin access with your iframe URLs, you will have to add the setting:
enable_framed_allow_write_admin_token_auth=1
Again, we don’t recommend using these settings, unless you absolutely need to and are aware of the risks.
See also: How do I enable users to login into Matomo inside an iframe?