Security

A person with unrestricted access to your site can wreak considerable havoc very quickly. Security is important for any web site. TYPO3 has a number of different levels at which the integrity of your data and code can be supported.

Backend

The permissions system enables you to ensure, at the very least, that only people who know what they are doing can be truly destructive, and that editors, in particular, cannot interfere with one another's areas of responsibility, and may have restrictions imposed also on their ability to publish, as opposed to generating, content.

It is vital that, once roles are defined, a security policy is defined, and permissions are applied  to enforce that policy.

TYPO3 adds an additional layer of security, in that very little that is done cannot be undone - changes are stored in the database rather than overwriting entries.

In addition, there is full support for versioning.

Front-End

Havoc is not confined to backend users, and it is similarly s good idea to ensure that people using interactive features of your site do not abuse them.

Various mechanisms are available for this:

  • Contributions can be screened by moderators before publication
  • Users registering have to respond to a message sent to their email address
  • User permissions are set on an individual and group basis to any content element
  • Contributions can be limited to registered users, by making them log in before they can contribute
  • Captchas can be used to screen out robots.
  • Downloads can be secured by being kept out of folders which are accessible directly to the world, or by being stored in the database.
  • Pages and sections can be secured using https/ssl.

Passwords

It should go without saying that weak passwords are easily broken.

Security Upgrades

As with any software, security holes may exist in the code.

We recommend (and may at times insist) that all security upgrades are applied to your installation.

Core

Issues with the core are resolved by issuing minor versions.

Gate Seven have a policy of installing the core files centrally for use by all installations on a given server. This means that we can usually apply core security patches to all installations immediately.

Extensions

Security-related upgrades are also available for extensions from time to time.

If these have been installed globally as part of our common code base, we apply these upgrades as they appear.

If your extensions are installed locally, as is the case when you have installed them yourself through the extension manager, you are responsible for maintaining their security.