Security, Reliability and Compliance

Security is a serious business when it comes to your website, that’s why it’s one of the top priorities for the TYPO3 CMS and community.

Hardening the Security

Introduced in version 9.2

Security has always been one of TYPO3’s top priorities and as we know, hardening the security of a system is an ongoing process.

TYPO3 stores various files in the “var/” directory, which is typically located under “typo3temp/var/”. Some of these files are for example Install Tool session files, caching framework files, files related to locking or logging, Extension Manager data files or files generated by TYPO3’s import/export or core update functions. Despite the fact that a properly configured web server and TYPO3 instance prevents accessing any sensible files in the “var/” directory, it is obvious that these are non-public files, which should better be located outside the web root.

As part of the ongoing effort to enhance the security of TYPO3 even further, the path to the “var/” directory can now be configured as an environment variable TYPO3_PATH_APP. The following configuration directive can be used by the Apache web server for example:

SetEnv TYPO3_PATH_APP /var/www/

This would instruct TYPO3 to create and use directory “/var/www/” whereas the web root should be “/var/www/”. If the environment variable is not set, non-composer installations of TYPO3 continue to use “typo3temp/var/” as the default. Composer-based installations benefit from this functionality directly, as data is stored within the project roots' folder under “var/”.


Multi-Factor Authentication (MFA)

Introduced in version 11.1

When you log in to the backend of TYPO3, you control a wide range of functions. Depending on your level of access, you can edit the contents of your company’s online presence, change business-critical data, or access highly sensitive user information. This great power needs to be protected so that only you have access to it.

Sometimes, a user name and password is just not secure enough. Multi-factor authentication (MFA) addresses this by adding a second factor to the login process or even multiple factors. The use of two factors is also referred to as two-factor authentication (2FA). When implemented correctly, MFA makes it significantly more difficult for an adversary to gain unauthorized access. That’s why MFA is considered one of the most effective security measures in information systems today.

When introducing an additional authentication method, it’s important to consider the user experience. If the login process becomes too cumbersome and complicated, users don’t configure it and miss out on an increased security level.

With our users at front-of-mind, we implemented a modern, secure, easy-to-use, and flexible MFA solution in TYPO3 version 11.1. You could say: "Your key to the galaxy!"

Once an administrator has activated an MFA provider, backend users can use it as a second authentication method for their login process. Typical providers are, for example, time-based one-time password (TOTP), counter-based one-time password, or WebAuthn. WebAuthn is a state-of-the-art web standard published by the World Wide Web Consortium (W3C) and supported by modern versions of Chrome, Firefox, and Edge browsers.

Following our promise to let TYPO3 site owners customize as many aspects of an instance as possible, the MFA implementation in TYPO3 allows developers to create additional providers. Check out the working examples “mfa_yubikey” (by Torben Hansen), “mfa_hotp” (by Oliver Bartsch), and “mfa_webauthn” (by Benjamin Franzke).



Secure Password Reset/Recovery

Introduced in version 10.4

Another notable new feature in TYPO3 v10 LTS is the “password recovery” function for backend users. Previously, administrators created backend user accounts and assigned passwords. They then had to provide the users with their access details. The same applied to cases where users forgot their passwords. From a security perspective, this is not considered state-of-the-art anymore. Administrators should not need to deal with user passwords at all.

In TYPO3 v10 LTS, administrators can trigger a password reset for users in the TYPO3 backend. Backend users are now also able to request a password-reset email in a secure way.

To ensure a high standard, we have built a number of security features into this function.

  • No information about existing users is disclosed.
  • The link in the email is only valid for a limited time.
  • There is a rate limit on how often a recovery email can be requested.

On systems that have special security requirements, the function can also be deactivated for administrator accounts. Alternatively, the function can be completely disabled for all users. This may become relevant in installations with third-party integrations such as LDAP or OAuth.



Frontend Login Improvements

Introduced in version 10.4

The frontend login functionality provides a simple way for users to log in and access restricted areas of a website. The feature has been migrated and uses the Extbase programming framework and the Fluid templating engine in TYPO3 v10 LTS.

This solution offers developers and integrators a few advantages:

Customize the appearance: Update or completely change appearance by simply modifying the Fluid templates. This includes not only the login form and other functions visible at the frontend, but also emails that go out to end-users, for example password recovery emails.

More strict security: Another exciting effect of the switch to Extbase applies to so-called “validators” — a piece of PHP code that is used to validate if a password meets certain security requirements. Developers and integrators alike can now adjust and modify these validators and enforce strict password restrictions.

This enhanced flexibility in TYPO3 v10 LTS allows agencies to highly customize the login functionality for frontend users.