Locked out of Matomo - Again

Error : Form security failed. Please reload the form and check that your cookies are enabled. If you use a proxy server, you must configure Matomo to accept the proxy header that forwards the Host header. Also, check that your Referrer header is sent correctly.

How do i turn this off for good? This is my second time installing this and both times I’ve been locked out. There shouldn’t even be a security measure like this unless explicitly turned on.


Are you by chance using nginx and Matomo with multiple domains?

I’m using openlitespeed. Currently I only have domain.com and matomo.domain.com

My tip would be making sure that the server variable passed to php ($_SERVER['SERVER_NAME']) is the one Matomo expects (so matomo.yourdomain.example).

# First, deny access to all files in this directory
<Files "*">
<IfModule mod_version.c>
	<IfVersion < 2.4>
		Order Deny,Allow
		Deny from All
	<IfVersion >= 2.4>
		Require all denied
<IfModule !mod_version.c>
	<IfModule !mod_authz_core.c>
		Order Deny,Allow
		Deny from All
	<IfModule mod_authz_core.c>
		Require all denied

Found this in my .htaccess and everything works now that I removed it. Problem is that I don’t know how it ended up there in the first place. It happens every time I clear my browser cookies.

It’s happening to me too. Which .htaccess did you delete? From what folder?

What I mentioned earlier isn’t a solution because you’ll be locked out again if you clear your cookies. To answer your question, there is an .htaccess in the matmo/config directory that has deny all directives. Deleting that may get you into matomo for now, but you’ll be locked out again if you clear cookies from your browser.

We need a real detailed solution. The .htaccess file is generated by Matomo so I don’t know why there isn’t an option to turn off that kind of security. Not sure if this is a Matomo or Openlitespeed issue.

Also experiencing this issue after recent upgrade to 4.0.3 - Ubuntu/Nginx. Yet another crippling/show stopping regression.

@Lukas you mentioned Nginx as if this is a known issue. Could you please link any current workarounds?

I think its an ssl issue - potentially.
If I set up a matomo instance it will work all day until finally it locks me out if I clear my cache/cookies. I can only get in if I connect it to cloudflare and add
proxy_client_headers[] = HTTP_CF_CONNECTING_IP - after some time it will let me log in.

The problem is that my site has ssl and I don’t need cloudflare. I’m also not behind a proxy to my knowledge. I’m using openlitespeed with quic.cloud. Or maybe quic.cloud is a proxy but I have no idea what to put in my config in order to make it work.

The one nginx issue I am aware of is the one I described here:

Same issue using Apache. No luck after deleting the .htaccess file in matomo/config. I did also try the various proxy_client_headers settings. Locked out in all cases.
Any hint? Thanks in advance

I have a matomo.domain.com instance, so using cloudflare for that particular domain seems to work for me. Use proxy_client_headers[] = HTTP_CF_CONNECTING_IP in config.ini
Wont work immediately but if you check back in 30min to an hour it should let you in.

Ah. Didn’t think about waiting long enough. Thanks for the hint. I’ll try that.

Still no luck. Didn’t make a change.
I can see from other posts in the forum that this issue is shared by several other folks.
Could we get some feedback (and hopefully a fix) from the Matomo team? Thanks in advance.


A quick idea: Did you try deleting all cookies from the Matomo domain?

Yes, did that too.
I’ve just tried upgrading to 4.0.4. The whole process went smoothly (I even had the config.ini regenerated), but I still can’t login through the browser.
I’m using the very standard version of the product, no customisation, no addition, no nothing. The app runs on a shared host (ionos 1and1) which I do not control at all, if that is of importance.
My understanding though is that the issue doesn’t seem related to the database, and until now I’ve never bumped into questions related to the use of proxies, so I doubt it is the case here.
Any idea on the possible cause? Thanks

Having the same problem with all client websites at Ionos 1and1.

I have the same problem:

After updating to Matomo 4.0.4, I can no longer log in.

I get the error message:

Error: security checks failed. Please reload the form and check whether your browser allows cookies. If you use a proxy server, you have to set up Matomo so that it accepts proxy headers.

I’ve already tested the tips from https://matomo.org/faq/how-to-install/#faq_98.

I am on an Ionos 1and1 managed server.

Does anyone know a solution?

Hi @GFC, @AndreasBW and @Lamy,

Do you use HTTPS? Is your Matomo installed in the root directory or some subdirectory (e.g. https://yoursite.example/matomo/)?

The solution is: Login from https://domain.com instead https://www.domain.com.