Securing a TYPO3 installation is a shared responsibility across everyone involved: system administrators, integrators, developers and editors. This guide draws on the official TYPO3 Security Guide and pulls together all the security measures that matter.

Last updated: 3rd December 2025 – incl. TYPO3 v14.0 (upcoming LTS release)

Security Team

Responsibilities, reporting vulnerabilities

Versions & Updates

Support cycles, Update categories

Threats

SQLi, XSS, CSRF, RCE

Quick Checklist

Sorted by priority – critical measures first.

Critical – Implement Immediately

HTTPS enabled – TLS 1.2+ for all connections, HSTS header set trustedHostsPattern – Only allowed domains, never .* in production Error output disabled – displayErrors = 0, devIPmask = ''Current LTS version – TYPO3 12 or 13 LTS with latest patches Extensions up to date – All extensions up to date, unused ones removed

High – Authentication & Access

MFA enabled – Multi-Factor Authentication for all admin accounts Install Tool secured – ENABLE_INSTALL_TOOL removed, strong password Rate Limiting active – loginRateLimit configured (v13+: native, v12: fail2ban)Minimal permissions – Users only have necessary permissions (PoLP)

Medium – Infrastructure

Database isolated – Not accessible from the internet, dedicated user Composer installation – TYPO3 via Composer, regular composer auditSensitive files blocked – .sql, .yaml, composer.* not accessible Security Headers set – HSTS, X-Frame-Options, CSP configured

Maintenance & Recovery

Backups available – Regular backups, restore tested Subscribed to Security Bulletins – Informed about new vulnerabilities Emergency plan documented – Response plan in case of a security incident

TYPO3 Security Team

The TYPO3 Security Team coordinates and communicates security vulnerabilities across the entire TYPO3 ecosystem.

Responsibilities

Receiving and verifying security reports
Coordination with Core and Extension developers
Publishing Security Bulletins and patches
Maintaining the Security Advisories database

Reporting vulnerabilities

E-mail: security@typo3.org (encryption possible)
Never publicly: No GitHub issues, no Forge tickets
Responsible Disclosure: Coordinated publication after patch
Acknowledgement: Credits in Security Bulletins

Important: No public discussion

Security vulnerabilities must never be discussed publicly before a patch is available. Doing so hands attackers an advantage and puts every TYPO3 installation worldwide at risk.

Versions & Updates

Choosing the right TYPO3 version and sticking to a consistent update strategy are fundamental security decisions.

Support Cycles

Version	Type	Regular Support	ELTS Available	PHP Version
TYPO3 14	Upcoming LTS (April 2026)	Until ~April 2029	Yes (afterwards)	PHP 8.2+
TYPO3 13	LTS	Until December 2027	Yes (afterwards)	PHP 8.2+
TYPO3 12	LTS	Until April 2026	Yes (afterwards)	PHP 8.1+
TYPO3 11	LTS	Ended	Yes (paid)	PHP 7.4–8.3
Sprint Releases	Development	No support	No	varies

TYPO3 v14 – upcoming LTS release

TYPO3 v14.0 was released on 25th November 2025. The LTS version (v14.4) is planned for April 2026. Until then, features and settings may still change. PHP 8.2+ is required.

ELTS – Extended Long Term Support

Once regular support ends, you can still get critical security updates through the paid ELTS programme . This matters for legacy systems that can't be migrated straight away.

Update Categories

Maintenance Releases

Bug fixes and minor improvements
Plannable within the regular sprint rhythm
Example: 12.4.10 → 12.4.11

Security Releases

Fix critical security vulnerabilities
Immediate installation required (24h target)
Published on Tuesdays (coordinated)

Security Releases: Time-critical!

Because TYPO3 is open source, attackers can study the code changes and build exploits the moment a patch ships. Apply Security Releases within 24 hours.

Threat Types

To protect TYPO3 systems effectively, you first need to understand the most common attack vectors.

General Guidelines

These core principles apply to every role and underpin any security strategy.

Password Hygiene

Requirements

At least 12 characters (better: 16+)
Upper/lower case letters, numbers, special characters
No personal data or dictionary words
Use a password manager

Organisational

A unique password for every service
No "Stay logged in" on shared devices
Never share passwords via e-mail or chat
Regular rotation according to security policy

Staying Informed

Security Bulletins: typo3.org/security
Newsletter: Subscribe to TYPO3 Security Announcements
RSS Feed: Automatic notification of new advisories

Client Security

All devices accessing the TYPO3 backend must be secured:

Keep operating system and browser up to date
Enable anti-virus software and firewall
No installation of software from unknown sources
VPN for access from public networks

System Admin

System administrators own the server infrastructure, and with it the foundation on which every other security measure rests.

HTTPS Encryption

Mandatory for all production systems

Without HTTPS, login credentials, session cookies and sensitive content can all be intercepted. No production system should ever run without TLS.

TLS 1.2 as a minimum, TLS 1.3 preferred
Let's Encrypt for free certificates
Set HSTS header (forces HTTPS)
[BE][lockSSL] = true in TYPO3 configuration

File Permissions

Correct permissions prevent unauthorised access:

File Type	Permission	Reason
Directories	755	Read/execute for all, write only for owner
PHP files	644	No direct execution, only via web server
Configuration files	640	No access for "others"
Upload directories	775	Web server must be able to write

HTTP Access Restriction

Block access to sensitive files and directories:

nginx

# Block configuration files
location ~* /.*\.(?:bak|conf|cfg|yaml|yml|ts|sql|sqlite)$ {
    deny all;
}

# Block Composer files
location ~* composer\.(?:json|lock) {
    deny all;
}

# Block vendor and typo3_src
location ~ ^(?:vendor|typo3_src|typo3temp/var) {
    deny all;
}

# Block private extension directories
location ~ /(?:Configuration|Resources/Private|Tests)/ {
    deny all;
}

Disable Directory Indexing

Disable automatic directory listing to avoid information leaks:

Bash

Options -Indexes

nginx

autoindex off;

Security Headers

HTTP security headers add a crucial layer of defence against a range of attacks. The web server sends them to tell the browser how to behave securely.

Recommended Headers

Header	Value	Protection against
`Strict-Transport-Security`	`max-age=31536000; includeSubDomains`	Downgrade attacks, SSL stripping
`X-Frame-Options`	`SAMEORIGIN`	Clickjacking
`X-Content-Type-Options`	`nosniff`	MIME-type sniffing
`Referrer-Policy`	`strict-origin-when-cross-origin`	Information leaks
`Permissions-Policy`	`geolocation=(), microphone=()`	Unwanted API usage
`Content-Security-Policy`	Project-specific	XSS, Code injection

Configuration

nginx

# Security Headers
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;

# Content-Security-Policy (adjust!)
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'; frame-ancestors 'self';" always;

Test Content-Security-Policy!

A misconfigured CSP can break the website entirely. Start with Content-Security-Policy-Report-Only, check the browser console for violations and only then switch the header on.

Verification

Test your security headers with these tools:

securityheaders.com – Quick analysis
Mozilla Observatory – Comprehensive security check
Browser DevTools → Network → Response Headers

Database Security

No web tools in production

phpMyAdmin, Adminer and similar tools must never be installed on production systems. They greatly enlarge the attack surface.

Backup Strategy

The official TYPO3 documentation recommends a tiered backup strategy:

Frequency	Composer Installation (v12+)	Classic (Legacy)	Retention
Daily	Database + `fileadmin/`	Database + `fileadmin/`	7 days
Weekly	DB + `fileadmin/` + `config/` + `var/log/`	DB + `fileadmin/` + `typo3conf/` + `uploads/`	4 weeks
Monthly	Full (+ `composer.lock`)	Full (incl. `typo3/` Core)	6 months
Yearly	Full archive	Full archive	Several years

Composer vs. Classic – What to back up?

Composer Installation (recommended):

config/ – System configuration (settings.php, sites/)
fileadmin/ – User uploads (FAL)
var/log/ – Logs for forensics (cache can be regenerated)
composer.json + composer.lock – Code is reproducible!

Classic Installation (Legacy):

typo3conf/ – Configuration + extensions
fileadmin/ + uploads/ – User files
typo3/ – Core files

Critical security rules for backups

Never store in the Document Root – Backups must not be publicly accessible
Encryption – Backups contain sensitive data (password hashes, customer data)
Offsite copy – Store at least one copy externally (ransomware protection)

Test restores regularly!

A backup is only as good as your last successful restore test. Rehearse the recovery process regularly in a separate environment and check for any missing data.

Integration & Configuration

Integrators configure TYPO3 and are responsible for getting the system settings right.

Securing the Install Tool

The Install Tool can make far-reaching changes to the system, so it needs particular protection:

ENABLE_INSTALL_TOOL file in var/transient/ (Composer) or typo3temp/var/transient/ (Classic)
Separate password (not the admin password!)
Auto-deletion after 60 minutes of inactivity

Forbidden: KEEP_FILE

The content KEEP_FILE inside the enable file prevents automatic deletion and is strictly off-limits in production environments.

Application Context (TYPO3_CONTEXT)

The Application Context lets you run different configurations per environment. This is critical for security, since debugging options should only ever be active in development.

Recommended Contexts

Context	Purpose	Debugging	Caching
`Production`	Live system	Disabled	Active
`Production/Staging`	Staging server	Disabled	Active
`Development`	Development	Enabled	Reduced
`Development/Local`	Local development	Enabled	Minimal
`Testing`	Automated tests	Enabled	Disabled

Configuration

Bash

# .htaccess
SetEnv TYPO3_CONTEXT Production

Context-specific Configuration

TYPO3 automatically loads additional configuration files based on the Context:

text

config/system/
├── settings.php              # Base configuration
├── additional.php            # Additional settings
└── additional_Production.php # Only loaded in Production
└── additional_Development.php # Only loaded in Development

Never forget the Production context!

If TYPO3_CONTEXT is unset, TYPO3 defaults to the Production context. Set the variable explicitly anyway to rule out configuration mistakes.

Official documentation: Application Context

Local Development with DDEV

DDEV is the recommended development environment for TYPO3 projects. This container-based solution offers clear security advantages over classic LAMP setups.

Security Advantages

Isolated environment – Projects run in separate containers
Automatic HTTPS – Local SSL certificates out-of-the-box
Consistent environment – Identical PHP version as Production
No local installation – No PHP/MySQL required on the host

Developer Productivity

Quick setup – ddev config && ddev start
Switch PHP version – Easily in .ddev/config.yaml
Integrated services – Redis, Solr, MailHog, Elasticsearch
Composer & Node – Fully integrated

Bash

# New project
mkdir my-typo3-project && cd my-typo3-project
ddev config --project-type=typo3 --php-version=8.2
ddev start
ddev composer create "typo3/cms-base-distribution:^12"
ddev launch

DDEV for Teams

Commit .ddev/config.yaml to the repository. That way every team member automatically gets an identical development environment, with no "works on my machine" surprises.

Global Configuration

All security-relevant settings in config/system/settings.php or config/system/additional.php:

PHP

<?php
// =====================================================
// BACKEND SECURITY (v12+)
// =====================================================

// Force HTTPS for backend (CRITICAL) - v12+
$GLOBALS['TYPO3_CONF_VARS']['BE']['lockSSL'] = true;

// Security warnings via e-mail - v12+
$GLOBALS['TYPO3_CONF_VARS']['BE']['warning_email_addr'] = 'security@example.com';
$GLOBALS['TYPO3_CONF_VARS']['BE']['warning_mode'] = 2;

// Session security - v12+
$GLOBALS['TYPO3_CONF_VARS']['BE']['lockIP'] = 4;
$GLOBALS['TYPO3_CONF_VARS']['BE']['lockIPv6'] = 8;
$GLOBALS['TYPO3_CONF_VARS']['BE']['sessionTimeout'] = 3600;

// Cookie security - v12+
$GLOBALS['TYPO3_CONF_VARS']['BE']['cookieSameSite'] = 'strict';

// Password hashing - v12+ (Argon2id is the most secure algorithm)
$GLOBALS['TYPO3_CONF_VARS']['BE']['passwordHashing']['className'] = 
    \TYPO3\CMS\Core\Crypto\PasswordHashing\Argon2idPasswordHash::class;

// Password policies - v12+ (configurable password policies)
$GLOBALS['TYPO3_CONF_VARS']['BE']['passwordPolicy'] = 'default';

// =====================================================
// FRONTEND SECURITY (v12+)
// =====================================================

// Prevent cache poisoning (CRITICAL) - v12+
// Default is false – recommended hardening measure: set to true
$GLOBALS['TYPO3_CONF_VARS']['FE']['cacheHash']['enforceValidation'] = true;

// Frontend session security - v12+
$GLOBALS['TYPO3_CONF_VARS']['FE']['lockIP'] = 2;
$GLOBALS['TYPO3_CONF_VARS']['FE']['lockIPv6'] = 2;

// Frontend password policies - v12+
$GLOBALS['TYPO3_CONF_VARS']['FE']['passwordPolicy'] = 'default';

// =====================================================
// SYSTEM SECURITY (v12+)
// =====================================================

// Trusted Hosts Pattern (CRITICAL) - v12+
$GLOBALS['TYPO3_CONF_VARS']['SYS']['trustedHostsPattern'] = 
    'www\.example\.com|example\.com';

// Do not display errors in frontend (CRITICAL) - v12+
$GLOBALS['TYPO3_CONF_VARS']['SYS']['displayErrors'] = 0;

// Restrict DevIP - v12+
$GLOBALS['TYPO3_CONF_VARS']['SYS']['devIPmask'] = '';

// Referrer check for backend forms - v12+
$GLOBALS['TYPO3_CONF_VARS']['SYS']['features']['security.backend.enforceReferrer'] = true;

// =====================================================
// CONTENT SECURITY POLICY (v12.3+)
// =====================================================

// Enable CSP for frontend - v12.3+
$GLOBALS['TYPO3_CONF_VARS']['SYS']['features']['security.frontend.enforceContentSecurityPolicy'] = true;

// CSP for backend (enabled by default) - v12.3+
$GLOBALS['TYPO3_CONF_VARS']['SYS']['features']['security.backend.enforceContentSecurityPolicy'] = true;

// =====================================================
// TYPO3 v13+ SPECIFIC SETTINGS
// =====================================================

// Force MFA for all admins - v13+ (alternatively via UserTSconfig)
// $GLOBALS['TYPO3_CONF_VARS']['BE']['requireMfa'] = 1; // v13+

// Rate limiting for login attempts - v13+
$GLOBALS['TYPO3_CONF_VARS']['BE']['loginRateLimit'] = 5; // v13+
$GLOBALS['TYPO3_CONF_VARS']['BE']['loginRateLimitInterval'] = '15 minutes'; // v13+
$GLOBALS['TYPO3_CONF_VARS']['FE']['loginRateLimit'] = 10; // v13+
$GLOBALS['TYPO3_CONF_VARS']['FE']['loginRateLimitInterval'] = '15 minutes'; // v13+

// IP lockout after too many failed attempts - v13+
$GLOBALS['TYPO3_CONF_VARS']['BE']['loginRateLimitIpExcludeList'] = ''; // v13+

// Subresource Integrity (SRI) for assets - v13+
$GLOBALS['TYPO3_CONF_VARS']['SYS']['features']['security.frontend.allowSvgScriptExecution'] = false; // v13+

// =====================================================
// TYPO3 v14+ SPECIFIC SETTINGS (upcoming LTS release)
// Attention: May change until the LTS version!
// =====================================================

// Store Install Tool session in Redis - v14+
$GLOBALS['TYPO3_CONF_VARS']['BE']['installToolSessionHandler'] =
    \TYPO3\CMS\Install\Service\Session\RedisSessionHandler::class; // v14+

// Redis connection options - v14+
$GLOBALS['TYPO3_CONF_VARS']['BE']['installToolSessionHandler']['options']['host'] = '127.0.0.1'; // v14+
$GLOBALS['TYPO3_CONF_VARS']['BE']['installToolSessionHandler']['options']['port'] = 6379; // v14+
$GLOBALS['TYPO3_CONF_VARS']['BE']['installToolSessionHandler']['options']['database'] = 2; // v14+

Critical settings for production

These three settings must be configured correctly in every production environment:

trustedHostsPattern – Regex for allowed domains (not .*!)
displayErrors = 0 – No error output
devIPmask = '' – No debug IPs

Users & Permissions

Principle of Least Privilege (PoLP)

Every user receives only the minimally necessary permissions:

Editors: Access only to relevant page trees and file areas
Administrators: No System Maintainer status unless required
System Maintainers: Restrict to an absolute minimum (1-2 people)

Multi-Factor Authentication (MFA)

Mandatory for admin accounts

MFA must be mandatorily enabled for all accounts with administrative rights. TYPO3 supports TOTP and recovery codes natively.

Extension Management

Only extensions from trusted sources (TER, Packagist)
Regular updates of all extensions
Remove unused extensions – every extension widens the attack surface
Watch the Security Bulletins for extensions too, not just the Core

Important: Security Bulletins only for TER extensions

The TYPO3 Security Team works reactively:

No automatic testing – Only a small percentage of TER extensions have been audited by the Security Team (Source)
Only when reported – The team only becomes active when someone reports a vulnerability to security@typo3.org
TER extensions only – Security Bulletins are published exclusively for extensions in the TER (Source)

Consequence for non-TER extensions

Extensions from private repos, GitHub, or non-TER Packagist packages will never receive Security Bulletins from the TYPO3 Security Team. (Source)

In practice: your development team carries full responsibility for security audits, vulnerability monitoring and patch management of these extensions.

The Process after a Report

When a vulnerability in a TER extension is reported, the Security Team follows the Extension Security Policy:

Notification – the Security Team confidentially informs the extension developer
Response required – the developer must show that the extension is actively maintained
Provide a fix – a patch is developed and tested in a private repository
Coordinated release – the Security Bulletin and the new extension version go out together

If the developer doesn't respond: the Security Team publishes a Removal Bulletin and the extension is removed from the TER. (Source)

TYPO3 shows security warnings after you log in to the backend. Take them seriously and resolve them promptly:

Outdated Core version
Insecure extensions
Missing configuration

Development

Developers carry a special responsibility, because insecure code puts the entire installation at risk.

Golden Rule

"Never trust user input" – treat all external data (GET, POST, cookies, headers) as potentially malicious and always validate it.

Input Validation

Validate all inputs on the server side:

Type checking: Integer, String, Boolean
Length limits: Maximum character count
Whitelist: Only accept permitted values
Encoding: Force UTF-8

Preventing SQL Injection

PHP

// NEVER use string concatenation with user input!
$query = "SELECT * FROM users WHERE email = '" . $userInput . "'";

Preventing XSS

Fluid escapes output by default. Note the exceptions:

Context	Protection
Fluid variables in HTML	Automatically escaped
`<f:format.raw>`	No escaping – never for user data!
ViewHelper arguments	Not escaped – escape manually!
JavaScript context	`JSON.stringify()` or `htmlspecialchars()`

Extbase Security

Property Mapping: Only accept explicitly allowed properties
__trustedProperties: Prevents mass assignment via cryptographic validation
Validation: Use Extbase validators for domain objects

Editors

Editors can inadvertently open up security holes through unsafe day-to-day practices.

Secure Content Entry

Use the Rich Text Editor instead of direct HTML
No unknown embeds (YouTube, Twitter, etc.) from untrusted sources
Check links before inserting them – no redirects to unknown domains
No scripts inside the RTE (often blocked, but not always)

Upload Guidelines

Permitted

Images: jpg, png, gif, svg, webp
Documents: pdf, docx, xlsx, pptx
Archives: zip (after checking)

Forbidden

Executables: php, exe, sh, bat
Web files: html, htm, js
Server files: htaccess, conf

Check file names: No special characters that enable injection
Observe file size: Report suspiciously large files
Verify origin: Do not upload files from unknown sources

Phishing Awareness

Never share login credentials via e-mail
Check URL before entering passwords
Report suspicious e-mails to IT
If unsure: Ask instead of clicking

Emergency

No matter how many precautions you take, a compromise can never be ruled out entirely. A clear emergency plan is essential.

Recognising the Signs

Obvious

Website shows foreign content (defacement)
Redirects to unknown domains
Search engine warnings ("This site may be hacked")
Unknown backend users

Subtle

Unusually high traffic/server load
Spam e-mails sent from the server
New files in upload directories
Changed timestamps on Core files

Immediate Measures

Step 1

Take the website offline

Immediately block access (maintenance page or IP block). This stops further damage and protects visitors.

Step 2

Secure the evidence

Preserve the current state: file system, database and logs. You will need these for forensic analysis.

Step 3

Change credentials

Immediately change all passwords: TYPO3 backend, database, FTP/SSH, hosting panel, e-mail.

Conduct Analysis

Recovery

No manual cleaning!

Manually "cleaning" a compromised system is extremely error-prone. Backdoors are easily missed and let attackers back in.

Recommended approach:

Identify a clean backup (created before the attack)
Fresh installation on a cleaned server
Restore database from backup
Update TYPO3 and extensions to the latest versions
Close the security hole that allowed the attack
Reset all passwords
Only then go live

Preventative Measures after Recovery

Document and fix the vulnerability
Conduct a security audit
Intensify monitoring
Train the team
Update incident response plan

Composer & Code Integrity

Only recommended installation path

The Composer installation is the only recommended path for production TYPO3 systems. Classic mode should be reserved for testing.

Security Advantages

Aspect	Composer	Classic
Package Verification	Checksums verified	Manual (if at all)
Update Security	Atomic updates	Dead code possible
Dependency Audit	`composer audit`	Not available
Reproducibility	`composer.lock`	Not guaranteed
Document Root	Separated	Everything public

Secure Update Strategy

Bash

# 1. Create backup
mysqldump -u user -p database > backup.sql

# 2. Update dependencies
composer update typo3/cms-* --with-dependencies

# 3. Conduct security audit
composer audit

# 4. Update database schema
vendor/bin/typo3 database:updateschema

# 5. Flush cache
vendor/bin/typo3 cache:flush

Summary

Use Composer

Our recommended installation path, with verified packages and secure updates

Update immediately

Apply Security Releases within 24 hours

Defense in Depth

Multiple security layers: server, application, users, processes

Resources

TYPO3 Security Guide – Official documentation
TYPO3 Security Team – Reporting vulnerabilities
Security Advisories – Current warnings
ELTS programme – Extended Long Term Support

TYPO3 Security Hardening: Production Best Practices

Auf einen Blick

Table of Contents

Quick Checklist

Critical – Implement Immediately

High – Authentication & Access

Medium – Infrastructure

Maintenance & Recovery

TYPO3 Security Team

Responsibilities

Reporting vulnerabilities

Versions & Updates

Support Cycles

Update Categories

Maintenance Releases

Security Releases

Threat Types

General Guidelines

Password Hygiene

Requirements

Organisational

Staying Informed

Client Security

System Admin

HTTPS Encryption

File Permissions

HTTP Access Restriction

Disable Directory Indexing

Security Headers

Recommended Headers

Configuration

Verification

Database Security

Backup Strategy

Integration & Configuration

Securing the Install Tool

Application Context (TYPO3_CONTEXT)

Recommended Contexts

Configuration

Context-specific Configuration

Local Development with DDEV

Security Advantages

Developer Productivity

Global Configuration

Users & Permissions

Principle of Least Privilege (PoLP)

Multi-Factor Authentication (MFA)

Extension Management

The Process after a Report

Security Warnings after Login

Development

Input Validation

Preventing SQL Injection

Preventing XSS

Extbase Security

Editors

Secure Content Entry

Upload Guidelines

Permitted

Forbidden

Phishing Awareness

Emergency

Recognising the Signs

Obvious

Subtle

Immediate Measures

Take the website offline

Secure the evidence

Change credentials

Conduct Analysis

Recovery

Preventative Measures after Recovery

Composer & Code Integrity

Security Advantages

Secure Update Strategy

Summary

Use Composer

Update immediately

Defense in Depth

Resources