Typo3 Security

What it does

This skill, "Typo3 Security," helps AI agents harden Typo3 websites by applying security best practices based on dirnbauer’s expertise. It focuses on configuring critical settings within the config/system/settings.php file to improve backend and frontend security. The skill is compatible with TYPO3 version 14.x and emphasizes utilizing existing TYPO3 APIs rather than creating custom solutions.

When to use it

• When securing a new Typo3 v14 installation.
• During routine security audits of an existing Typo3 website.
• To enforce stricter password policies on backend user accounts.
• To disable debug mode in production environments.

Key capabilities

• Disables debugging in production (BE.debug and FE.debug).
• Configures session locking based on IP address (BE.lockIP, BE.lockIPv6, FE.lockIP).
• Sets session timeouts for both backend and frontend users (BE.sessionTimeout, FE.sessionTimeout).
• Enforces HTTPS requirements for the backend (BE.lockSSL).
• Implements Argon2id password hashing for improved security.
• Provides guidance on enforcing HTTPS at the web server/proxy level using HSTS.

Example prompts

• "Harden the Typo3 backend security settings."
• "Disable debug mode in the Typo3 frontend configuration."
• "Set the backend session timeout to 1 hour."
• “Apply Argon2id password hashing for all TYPO3 users.”

Tips & gotchas

• This skill is specifically designed for Typo3 version 14.x. Compatibility with other versions is not guaranteed.
• FE.lockSSL has been removed in v12; enforce HTTPS at the web server/proxy level instead, using HSTS headers.
• Always consult the official TYPO3 documentation to verify API availability and avoid deprecated methods.