Enable “Only track visits and actions when the action URL starts with one of the above URLs” by default for new websites #24291
Description
Summary
Matomo currently allows tracking requests for a website ID even when the tracked action URL does not match one of the configured site URLs, unless the setting "Only track visits and actions when the action URL starts with one of the above URLs" is manually enabled.
I’d like to propose enabling this setting by default for newly created websites.
Problem
The current default is permissive and can lead to accidental tracking of visits and actions from domains that were never intended to belong to the website configuration.
This can happen for example when:
- the same tracking code is accidentally reused on another domain
- a staging, QA, preview, or development environment is tracked unintentionally
- a site is cloned or migrated and the tracking snippet remains in place
- users assume configured URLs are enforced automatically, when in fact they are not unless this option is enabled
As a result, data from unrelated or unconfigured domains can end up in the same Matomo website, which is often only discovered after reports have already been polluted.
Proposed change
Enable "Only track visits and actions when the action URL starts with one of the above URLs" by default for new websites.
This would preserve current behavior for existing installations while making new setups safer out of the box.
Impact
Positive impact
- prevents accidental data pollution from unconfigured domains
- improves trust in collected analytics data
- reduces confusion for users who expect configured site URLs to be enforced
- lowers the risk of staging or test traffic being mixed into production reporting
- reduces support and troubleshooting effort caused by cross-domain misconfiguration
- aligns the default with the principle of least surprise and safer-by-default behavior
Potential downsides
- some users may currently rely on the more permissive behavior without realizing it
- setups involving multiple related domains or subdomains may require those URLs to be configured explicitly
- users with unusual tracking flows may need to disable the setting manually after website creation
These tradeoffs seem acceptable because explicit configuration is generally preferable to silent over-collection.
Benefits
1. Safer default behavior
A new Matomo website would behave more defensively from day one, reducing the chance of unintended tracking.
2. Cleaner analytics data
Reports would more reliably reflect the domains the user actually configured, instead of silently including traffic from other environments or copied implementations.
3. Better user expectations
Many users reasonably assume that the configured website URLs define what is allowed to be tracked. Making this setting default would better match that expectation.
4. Fewer support issues
This change could help avoid bug reports and support requests caused by accidental tracking on unrelated domains.
5. Stronger privacy and governance posture
Restricting collection to explicitly configured domains is a better default from a data governance perspective.
Expected result
New Matomo websites would only track visits and actions whose action URL matches one of the configured website URLs unless the user intentionally chooses otherwise.
That would make Matomo more predictable, safer by default, and less prone to accidental misconfiguration.