Problem
The tracker proxy currently forwards the entire incoming Cookie header to the Matomo server whenever HTTP_COOKIE is present. In proxy.php, this happens via:
if (isset($_SERVER['HTTP_COOKIE'])) {
$header[] = "Cookie: " . $_SERVER['HTTP_COOKIE'];
}
That means all cookies from the tracked site are forwarded, not just Matomo-related ones.
Why this matters
In practice, this may include unrelated or potentially sensitive cookie values. Even if these values are not easy to obtain or expose through normal usage, forwarding all cookies seems broader than necessary from a security and privacy perspective.
Since the proxy is intended to preserve Matomo tracking behavior and correct cookie handling, it would be useful to make cookie forwarding more restrictive and configurable. The README also explicitly notes that correct Matomo cookie behavior is important when deploying the proxy.
Proposal
Introduce an optional configurable cookie allowlist for forwarded cookies.
Suggested behavior:
- By default, keep the current behavior for backward compatibility, or choose a safe default if maintainers prefer
- Add a config option that allows specifying which cookie names may be forwarded to Matomo
- When configured, only cookies on that allowlist should be included in the forwarded
Cookie header
- All other cookies should be dropped before the request is sent upstream
Expected use case
The allowlist would typically include all Matomo-related cookies, for example:
- tracking cookies
- opt-out cookie
- any other Matomo cookies needed for correct behavior
This would let users limit forwarding to the cookies that are actually relevant for Matomo, while avoiding forwarding unrelated site/application cookies.
Possible implementation idea
A config value in config.php, for example:
$COOKIE_ALLOWLIST = array(
'_pk_id',
'_pk_ses',
'mtm_consent',
'mtm_consent_removed',
'matomo_ignore',
// etc.
);
Then parse $_SERVER['HTTP_COOKIE'], keep only allowed cookie names, and rebuild the Cookie header before forwarding.
Problem
The tracker proxy currently forwards the entire incoming
Cookieheader to the Matomo server wheneverHTTP_COOKIEis present. Inproxy.php, this happens via:That means all cookies from the tracked site are forwarded, not just Matomo-related ones.
Why this matters
In practice, this may include unrelated or potentially sensitive cookie values. Even if these values are not easy to obtain or expose through normal usage, forwarding all cookies seems broader than necessary from a security and privacy perspective.
Since the proxy is intended to preserve Matomo tracking behavior and correct cookie handling, it would be useful to make cookie forwarding more restrictive and configurable. The README also explicitly notes that correct Matomo cookie behavior is important when deploying the proxy.
Proposal
Introduce an optional configurable cookie allowlist for forwarded cookies.
Suggested behavior:
CookieheaderExpected use case
The allowlist would typically include all Matomo-related cookies, for example:
This would let users limit forwarding to the cookies that are actually relevant for Matomo, while avoiding forwarding unrelated site/application cookies.
Possible implementation idea
A config value in
config.php, for example:Then parse
$_SERVER['HTTP_COOKIE'], keep only allowed cookie names, and rebuild theCookieheader before forwarding.