Hi
I have moved my complete installation to a new webhost and i’m logged out.
When I try to login I get: “The form security failed because of invalid origin. If you previously connected using HTTPS, please ensure you are connecting over a secure (SSL/TLS) connection and try again.”
I don’t know how Matomo does this technically, but cookies are sometimes involved in such checks. Does logging in work in a private browser window?
No there is no difference and i have tried from Chrom, Edge etc.
Can you post your config/config.ini.php? (remove secrets beforehand)
Config are in the bottom
BTW I have no tried to install a new version on a different url at the new host - and It gives the same faliur as the old installation - the issue must be in the server settings.
; DO NOT REMOVE THIS LINE
; file automatically generated or modified by Matomo; you can manually override the default values in global.ini.php by redefining them in this file.
[database]
host = “localhost”
username = “XXXXXX”
password = “XXXXXX”
dbname = “XXXXXX”
tables_prefix = “XXXXXX”
adapter = “MYSQLI”
charset = “utf8mb4”
collation = “utf8mb4_general_ci”
[General]
salt = “xxxxx”
trusted_hosts = “matomo URL”
[PluginsInstalled]
PluginsInstalled = “Diagnostics”
PluginsInstalled = “Login”
PluginsInstalled = “CoreAdminHome”
PluginsInstalled = “UsersManager”
PluginsInstalled = “SitesManager”
PluginsInstalled = “Installation”
PluginsInstalled = “Monolog”
PluginsInstalled = “Intl”
PluginsInstalled = “JsTrackerInstallCheck”
PluginsInstalled = “CoreVue”
PluginsInstalled = “CorePluginsAdmin”
PluginsInstalled = “CoreHome”
PluginsInstalled = “WebsiteMeasurable”
PluginsInstalled = “IntranetMeasurable”
PluginsInstalled = “CoreVisualizations”
PluginsInstalled = “Proxy”
PluginsInstalled = “API”
PluginsInstalled = “Widgetize”
PluginsInstalled = “Transitions”
PluginsInstalled = “LanguagesManager”
PluginsInstalled = “Actions”
PluginsInstalled = “Dashboard”
PluginsInstalled = “MultiSites”
PluginsInstalled = “Referrers”
PluginsInstalled = “UserLanguage”
PluginsInstalled = “DevicesDetection”
PluginsInstalled = “Goals”
PluginsInstalled = “Ecommerce”
PluginsInstalled = “SEO”
PluginsInstalled = “Events”
PluginsInstalled = “UserCountry”
PluginsInstalled = “GeoIp2”
PluginsInstalled = “VisitsSummary”
PluginsInstalled = “VisitFrequency”
PluginsInstalled = “VisitTime”
PluginsInstalled = “VisitorInterest”
PluginsInstalled = “RssWidget”
PluginsInstalled = “Feedback”
PluginsInstalled = “TwoFactorAuth”
PluginsInstalled = “CoreUpdater”
PluginsInstalled = “CoreConsole”
PluginsInstalled = “ScheduledReports”
PluginsInstalled = “UserCountryMap”
PluginsInstalled = “Live”
PluginsInstalled = “PrivacyManager”
PluginsInstalled = “ImageGraph”
PluginsInstalled = “Annotations”
PluginsInstalled = “MobileMessaging”
PluginsInstalled = “Overlay”
PluginsInstalled = “SegmentEditor”
PluginsInstalled = “Insights”
PluginsInstalled = “Morpheus”
PluginsInstalled = “Contents”
PluginsInstalled = “BulkTracking”
PluginsInstalled = “Resolution”
PluginsInstalled = “DevicePlugins”
PluginsInstalled = “Heartbeat”
PluginsInstalled = “Marketplace”
PluginsInstalled = “ProfessionalServices”
PluginsInstalled = “UserId”
PluginsInstalled = “CustomJsTracker”
PluginsInstalled = “Tour”
PluginsInstalled = “PagePerformance”
PluginsInstalled = “CustomDimensions”
PluginsInstalled = “FeatureFlags”
PluginsInstalled = “AIAgents”
For test only, not for productive use: Does it work if you set the following option?
[General]
enable_trusted_host_check = 0
force_ssl = 0
Do you use Apache or NGINX?
Just to be sure: By “matomo URL” you mean a hostname?
Correct:
trusted_hosts[] = "example.com"
Not correct:
trusted_hosts[] = "https://example.com"
And does it work if you change trusted_hosts to trusted_hosts[]? (according to faq)
No it does not work
The server is a LiteSpeed Webserver
Makes no differenc if it is: trusted_hosts or trusted_hosts
It has always been with trusted_hosts
And yes the URL are without https etc. 
When I google the error, I find the following:
If I understand correctly, the cause in all cases was a Referrer-Policy header. It is possible that such a header is set by LiteSpeed. Does your hosting provider offer option to enable/disable this?
Please post the output of: `curl -I https://yourmatomo
HTTP/1.1 200 OK
Connection: Keep-Alive
Keep-Alive: timeout=5, max=100
X-Powered-By: PHP/8.3.28
X-Matomo-Request-Id: 02ed6
Cache-Control: no-store, must-revalidate
Content-Type: text/html; charset=utf-8
X-Frame-Options: sameorigin
Referrer-Policy: strict-origin-when-cross-origin
Content-Security-Policy: default-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’; img-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’ data:;
Date: Wed, 31 Dec 2025 16:19:00 GMT
Server: LiteSpeed
edit: Set-Cookie (.) “$1;HttpOnly;Secure”
setifempty: Referrer-Policy: same-origin
X-XSS-Protection: 1; mode=block
X-Permitted-Cross-Domain-Policies: none
X-Content-Type-Options: nosniff
edit: Set-Cookie "(?i)^(.)$" “$1; HttpOnly”
alt-svc: h3=“:443”; ma=2592000, h3-29=“:443”; ma=2592000, h3-Q050=“:443”; ma=2592000, h3-Q046=“:443”; ma=2592000, h3-Q043=“:443”; ma=2592000, quic=“:443”; ma=2592000; v=“43,46”