Security & Privacy

Security considerations and Content Security Policy configuration.

Content Security Policy (CSP)

Nonce

If you use a CSP header with a nonce attribute, pass it to the initialization function:

trackPagesRouter({
  url: MATOMO_URL,
  siteId: MATOMO_SITE_ID,
  nonce: "your-nonce-value",
});

Trusted Types

If you use strict Trusted Types, allow the script tag creation by adding the policy name:

Content-Security-Policy: require-trusted-types-for 'script'; trusted-types matomo-next;

You can set a custom policy name:

trackPagesRouter({
  url: MATOMO_URL,
  siteId: MATOMO_SITE_ID,
  trustedPolicyName: "your-custom-policy-name",
});

Privacy & GDPR

GDPR-Compliant Tracking

Enable cookie-less tracking for better GDPR compliance:

Pages Router:

trackPagesRouter({
  url: MATOMO_URL,
  siteId: MATOMO_SITE_ID,
  disableCookies: true,
});

App Router:

trackAppRouter({
  url: MATOMO_URL,
  siteId: MATOMO_SITE_ID,
  pathname,
  searchParams,
  disableCookies: true,
});

Exclude Sensitive Routes

Prevent tracking of specific URLs:

Pages Router:

trackPagesRouter({
  url: MATOMO_URL,
  siteId: MATOMO_SITE_ID,
  excludeUrlsPatterns: [/^\/admin/, /\?token=/],
});

App Router:

trackAppRouter({
  url: MATOMO_URL,
  siteId: MATOMO_SITE_ID,
  pathname,
  searchParams,
  excludeUrlsPatterns: [/^\/admin/, /\?token=/],
});

Clean URLs

Remove sensitive data from tracked URLs:

Pages Router:

trackPagesRouter({
  url: MATOMO_URL,
  siteId: MATOMO_SITE_ID,
  cleanUrl: true,
});

App Router:

trackAppRouter({
  url: MATOMO_URL,
  siteId: MATOMO_SITE_ID,
  pathname,
  searchParams,
  cleanUrl: true,
});

Debug Mode

Enable debug logging during development:

Pages Router:

trackPagesRouter({
  url: MATOMO_URL,
  siteId: MATOMO_SITE_ID,
  debug: process.env.NODE_ENV === "development",
});

App Router:

trackAppRouter({
  url: MATOMO_URL,
  siteId: MATOMO_SITE_ID,
  pathname,
  searchParams,
  debug: process.env.NODE_ENV === "development",
});

Next Steps

Advanced Configuration - All available options, HeartBeat timer, debug mode, callbacks
Events - Track custom events
Heatmap & Session Recording - User behavior tracking

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Security

docs/security.md

Security & Privacy

Content Security Policy (CSP)

Nonce

Trusted Types

Privacy & GDPR

GDPR-Compliant Tracking

Exclude Sensitive Routes

Clean URLs

Debug Mode

Next Steps

There aren’t any published security advisories

Security: maxgfr/matomo-next

Security

docs/security.md

Security & Privacy

Content Security Policy (CSP)

Nonce

Trusted Types

Privacy & GDPR

GDPR-Compliant Tracking

Exclude Sensitive Routes

Clean URLs

Debug Mode

Next Steps

There aren’t any published security advisories