Security considerations regarding exports
Exported content in TYPO3 can contain sensitive or restricted information that needs to be properly secured. This document outlines the recommended best practices for managing the security risks associated with exporting content. The following sections explain:
- Why you should disable the export extension when not in use to reduce the risk of unintentional data exposure.
- How to prevent unauthorized access by restricting the visibility of export options in the TYPO3 interface.
- Why it is important to secure the export directory to block unauthorized file access on different webserver setups.
- How to report a security issue to the TYPO3 Security Team if you identify vulnerabilities not addressed in this guide.
Table of contents
Disable the extension when not in use
Exported content may contain sensitive and restricted information related to your site. It is recommended that this extension be deactivated when it is not in use to prevent content being exported in error.
Prevent unauthorized access
The export function is available by default for editors without admin rights. It is limited to content to which the editor has access. The export functionality can be hidden in the editor's context menu by using the user TSconfig setting contextMenu disableItems.
Note that it cannot be completely disabled as there are currently other entry points.
Secure the export directory
Exports are stored in fileadmin/.
TYPO3 will automatically create a .htaccess file to prevent access to
this folder from external sources. On Nginx webservers, the .htaccess
file has no effect. Follow the Security guidelines for System
Administrators to find out how to prevent
access to specific directories on Nginx webservers.
Reporting a security issue
If you believe you have found a security-related issue that is not listed here, please contact the TYPO3 Security Team.