| name | typo3-security |
| description | Hardens TYPO3 v14 installations and extensions with secure configuration, trusted hosts, file permissions, Install Tool protection, backend user security, MFA, CSP, QueryBuilder usage, XSS defenses, and CSRF checks. Use when the user asks about TYPO3 security, hardening, permissions, authentication, CSP, SQL injection, XSS, CSRF, or go-live security readiness. |
| compatibility | TYPO3 14.x |
| metadata | {"version":"2.0.0","origin":"webconsulting"} |
| license | MIT / CC-BY-SA-4.0 |
TYPO3 Security Hardening
Source: https://github.com/dirnbauer/webconsulting-skills
Compatibility: TYPO3 v14.x
All security configurations in this skill work on TYPO3 v14.
TYPO3 API First: Always use TYPO3's built-in APIs, core features, and established conventions before creating custom implementations. Do not reinvent what TYPO3 already provides. Always verify that the APIs and methods you use exist and are not deprecated in TYPO3 v14 by checking the official TYPO3 documentation.
1. Critical Configuration Settings
config/system/settings.php (TYPO3 v14)
<?php
return [
'BE' => [
'debug' => false,
'lockIP' => 4,
'lockIPv6' => 8,
'sessionTimeout' => 3600,
'lockSSL' => true,
'passwordHashing' => [
'className' => \TYPO3\CMS\Core\Crypto\PasswordHashing\Argon2idPasswordHash::class,
'options' => [],
],
],
'FE' => [
'debug' => false,
'lockIP' => 0,
'sessionTimeout' => 86400,
'passwordHashing' => [
'className' => \TYPO3\CMS\Core\Crypto\PasswordHashing\Argon2idPasswordHash::class,
'options' => [],
],
],
'SYS' => [
'displayErrors' => 0,
'devIPmask' => '',
'errorHandlerErrors' => E_ALL & ~E_NOTICE & ~E_DEPRECATED,
'exceptionalErrors' => E_ALL & ~E_NOTICE & ~E_WARNING & ~E_DEPRECATED,
'encryptionKey' => 'generate-unique-key-per-installation',
'trustedHostsPattern' => '(www\\.)?example\\.com',
'textfile_ext' => 'txt,html,htm,css,js,tmpl,ts,typoscript,xml,svg',
'mediafile_ext' => 'gif,jpg,jpeg,png,webp,svg,pdf,mp3,mp4,webm',
'features' => [
'security.backend.enforceReferrer' => true,
'security.frontend.enforceContentSecurityPolicy' => false,
'security.frontend.reportContentSecurityPolicy' => false,
],
],
'LOG' => [
'writerConfiguration' => [
\Psr\Log\LogLevel::WARNING => [
\TYPO3\CMS\Core\Log\Writer\FileWriter::class => [
'logFile' => 'var/log/typo3-warning.log',
],
],
\Psr\Log\LogLevel::ERROR => [
\TYPO3\CMS\Core\Log\Writer\FileWriter::class => [
'logFile' => 'var/log/typo3-error.log',
],
\TYPO3\CMS\Core\Log\Writer\SyslogWriter::class => [],
],
],
],
];
2. Trusted Hosts Pattern
CRITICAL: Always configure trustedHostsPattern to prevent host header injection.
'trustedHostsPattern' => '.*',
'trustedHostsPattern' => '(?:example\\.com|www\\.example\\.com)',
'trustedHostsPattern' => '(.*\\.)?example\\.com',
'trustedHostsPattern' => '(?:(?:.*\\.)?example\\.com|.*\\.ddev\\.site)',
3. File System Security
fileDenyPattern (upload / public file access)
Keep Core’s deny list strict — extend only when you understand the risk:
Warning: setting fileDenyPattern replaces Core’s default pattern entirely. Always start from the v14 default (\\.(php[3-8]?|phpsh|phtml|pht|phar|shtml|cgi)(\\..*)?$|\\.pl$|^\\.htaccess$) and append — never drop pht, phpsh, shtml, or ^\.htaccess$.
$GLOBALS['TYPO3_CONF_VARS']['BE']['fileDenyPattern'] = '\\.(php[3-8]?|phpsh|phtml|pht|phar|shtml|cgi|sh|bash|py|asp|aspx|jsp)(\\..*)?$|\\.pl$|^\\.htaccess$';
Directory Permissions
chown -R www-data:www-data /var/www/html
find /var/www/html -type d -exec chmod 2775 {} \;
find /var/www/html -type f -exec chmod 664 {} \;
chmod 660 config/system/settings.php
chmod 660 config/system/additional.php
chmod -R 2775 var/
chmod -R 2775 public/fileadmin/
chmod -R 2775 public/typo3temp/
Critical Files to Protect
Never expose these in public/:
❌ var/log/
❌ config/
❌ .env
❌ composer.json
❌ composer.lock
❌ .git/
❌ vendor/ (should be outside public)
.htaccess Security (Apache)
# public/.htaccess additions
# Block access to hidden files
<FilesMatch "^\.">
Require all denied
</FilesMatch>
# Block access to sensitive file types
<FilesMatch "\.(sql|sqlite|bak|backup|log|sh)$">
Require all denied
</FilesMatch>
# Block PHP execution in upload directories
<Directory "fileadmin">
<FilesMatch "\.php$">
Require all denied
</FilesMatch>
</Directory>
# Security headers
<IfModule mod_headers.c>
Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()"
</IfModule>
Nginx Security
# Block hidden files
location ~ /\. {
deny all;
}
# Block sensitive directories
location ~ ^/(config|var|vendor)/ {
deny all;
}
# Block PHP in upload directories
location ~ ^/fileadmin/.*\.php$ {
deny all;
}
# Security headers
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
4. Install Tool Security
Disable Install Tool
rm var/transient/ENABLE_INSTALL_TOOL
Secure Install Tool Password
Generate strong password and store securely:
openssl rand -base64 32
Set the hashed password via the Install Tool or an environment-specific config/system/additional.php; never commit a placeholder or empty string.
IP Restriction for Install Tool
Restrict the Install Tool entry point (/typo3/install.php on Composer-based v14) to trusted IPs at the web-server level:
# Apache: in the vhost or .htaccess
<LocationMatch "^/typo3/install\.php">
Require ip 203.0.113.0/24
Require ip 198.51.100.42
</LocationMatch>
# Nginx
location = /typo3/install.php {
allow 203.0.113.0/24;
allow 198.51.100.42;
deny all;
# ...existing fastcgi_pass / include snippet...
}
Note: $GLOBALS['TYPO3_CONF_VARS']['SYS']['devIPmask'] only governs exposure of dev/debug tooling (e.g. the admin panel and debug output) — it does not restrict or authenticate the Install Tool. Lock the Install Tool down at the web server (above) in addition to setting a strong installToolPassword.
5. Backend User Security
Strong Password Policy (TYPO3 v14)
<?php
$GLOBALS['TYPO3_CONF_VARS']['BE']['passwordPolicy'] = 'default';
$GLOBALS['TYPO3_CONF_VARS']['SYS']['passwordPolicies']['default'] = [
'validators' => [
\TYPO3\CMS\Core\PasswordPolicy\Validator\CorePasswordValidator::class => [
'options' => [
'minimumLength' => 12,
'upperCaseCharacterRequired' => true,
'lowerCaseCharacterRequired' => true,
'digitCharacterRequired' => true,
'specialCharacterRequired' => true,
],
],
\TYPO3\CMS\Core\PasswordPolicy\Validator\NotCurrentPasswordValidator::class => [],
],
];
Multi-Factor Authentication (TYPO3 v14)
MFA is built into TYPO3 v14. Users can configure in:
User Settings > Account Security
Supported providers:
- TOTP (Time-based One-Time Password)
- Recovery Codes
Configure MFA enforcement in config/system/settings.php via $GLOBALS['TYPO3_CONF_VARS']['BE']['requireMfa']: 0 disabled, 1 all users, 2 non-admins, 3 admins only, 4 system maintainers only — confirm exact semantics in Core docs for your minor), or per user/group with user TSconfig auth.mfa.required:
# User or group TSconfig — require MFA for those accounts (overrides global when set)
auth.mfa.required = 1
See Multi-factor authentication.
Backend Access Logging
$GLOBALS['TYPO3_CONF_VARS']['LOG']['TYPO3']['CMS']['Backend']['Authentication']['writerConfiguration'] = [
\Psr\Log\LogLevel::INFO => [
\TYPO3\CMS\Core\Log\Writer\FileWriter::class => [
'logFile' => 'var/log/backend-auth.log',
],
],
];
6. Content Security Policy (CSP)
Built-in CSP (TYPO3 v14)
TYPO3 v14 has built-in CSP support. Enable it:
Enable CSP through config/system/settings.php / Install Tool. Frontend toggles (names may evolve — verify in Core for your minor) commonly include:
$GLOBALS['TYPO3_CONF_VARS']['SYS']['features']['security.frontend.enforceContentSecurityPolicy'] and security.frontend.reportContentSecurityPolicy. Backend CSP is enforced by default since v13 — there is no equivalent FE-style toggle for BE.
CSP Configuration via Events (TYPO3 v14)
<?php
declare(strict_types=1);
namespace Vendor\Extension\EventListener;
use TYPO3\CMS\Core\Attribute\AsEventListener;
use TYPO3\CMS\Core\Security\ContentSecurityPolicy\Directive;
use TYPO3\CMS\Core\Security\ContentSecurityPolicy\Event\PolicyMutatedEvent;
use TYPO3\CMS\Core\Security\ContentSecurityPolicy\UriValue;
#[AsEventListener(identifier: 'vendor-extension/csp-modification')]
final class ContentSecurityPolicyListener
{
public function __invoke(PolicyMutatedEvent $event): void
{
if (!$event->scope->type->isFrontend()) {
return;
}
$policy = $event->getCurrentPolicy()
->extend(Directive::ScriptSrc, new UriValue('https://cdn.example.com'))
->extend(Directive::StyleSrc, new UriValue('https://fonts.googleapis.com'));
$event->setCurrentPolicy($policy);
}
}
TypoScript CSP Headers (Alternative)
config.additionalHeaders {
10.header = Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' https://www.googletagmanager.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https:; frame-ancestors 'self';
}
7. SQL Injection Prevention
ALWAYS Use QueryBuilder
<?php
declare(strict_types=1);
$result = $connection->executeQuery(
"SELECT * FROM pages WHERE uid = " . $_GET['id']
);
$queryBuilder = $this->connectionPool->getQueryBuilderForTable('pages');
$result = $queryBuilder
->select('*')
->from('pages')
->where(
$queryBuilder->expr()->eq(
'uid',
$queryBuilder->createNamedParameter($id, \TYPO3\CMS\Core\Database\Connection::PARAM_INT)
)
)
->executeQuery();
Extbase Repository Safety
<?php
declare(strict_types=1);
$query = $this->createQuery();
$query->matching(
$query->equals('uid', $id) // Safe - auto-escaped
);
8. XSS Prevention
Fluid Templates
{variable}
{variable -> f:format.raw()}
{variable -> f:format.htmlspecialchars()}
<f:format.html>{bodytext}</f:format.html>
Backend Forms
TCA automatically handles escaping. For custom fields:
'config' => [
'type' => 'input',
'max' => 255,
],
9. CSRF Protection
Backend Requests (TYPO3 v14)
TYPO3 backend automatically includes CSRF tokens. For custom AJAX:
<?php
declare(strict_types=1);
use TYPO3\CMS\Core\FormProtection\FormProtectionFactory;
final class MyController
{
public function __construct(
private readonly FormProtectionFactory $formProtectionFactory,
) {}
public function generateToken(): string
{
$formProtection = $this->formProtectionFactory->createFromRequest($this->request);
return $formProtection->generateToken('myFormIdentifier');
}
public function validateToken(string $token): bool
{
$formProtection = $this->formProtectionFactory->createFromRequest($this->request);
return $formProtection->validateToken($token, 'myFormIdentifier');
}
}
Frontend Forms (Extbase)
<f:form action="submit" controller="Contact" method="post">
<f:form.hidden name="__trustedProperties" value="{trustedProperties}" />
</f:form>
Appendix
For TYPO3 v14-specific hardening notes and related-skill links, see references/v14-notes.md. For go-live checklists, rate limiting, and remaining v14 security notes, see references/checklists.md.
Credits & Attribution
Source: https://github.com/dirnbauer/webconsulting-skills