@Findus23 opened this Issue on August 31st 2018 Member

followup to #13193 and reported on the forum:

When assume_secure_protocol=1 is already set, Matomo shouldn't complain to setup SSL.

@cpoetter commented on April 11th 2019

I am seeing the same bug. Is there a timeline for a fix?

@Findus23 commented on May 23rd 2020 Member

Two years later I was again thinking about this and I'm not 100% sure if the current status isn't correct. If I am not mistaken force_ssl=1 tells Matomo that it is set up via HTTPS and it therefore should use only HTTPS URLs, secure cookies, etc.

assume_secure_protocol=1 alone does not force that, which means that if you use Matomo behind a reverse proxy that adds SSL, you still need to add force_ssl=1 to get secure cookies (as the system check reminds)

There is even a function in Matomo that checks this case:


Of course one could argue that assume_secure_protocol=1 should always automatically set force_ssl=1, but I am also not sure about that as that would make the meaning of force_ssl confusing.

In case I am wrong, changing the check is simply a matter of modifying this:


Powered by GitHub Issue Mirror