@jenrol opened this Issue on February 25th 2021


The matomo_lang cookie is not served as httpOnly, which was flagged by a pentest of our app. For use in high security or regulated industries, this can be a dealbreaker.

Your Environment

  • Matomo Version: 4.1.1
  • PHP Version: 7.4.7
  • Server Operating System: Amazon Linux
  • Additionally installed plugins: none
@sgiehl commented on February 25th 2021 Member

Hi @jenrol
Thanks for creating the issue. I will create a PR to change that behavior.

This Issue was closed on February 25th 2021
Powered by GitHub Issue Mirror