.. include:: Includes.txt

.. _start:

.. _introduction:
.. _about:
.. _history:
.. _credits:
.. _feedback:
.. _target-audience:

.. _security-team:
.. _security-team-contact:
.. _incident-handling:
.. _incident-handling-core:
.. _incident-handling-extensions:

.. _general-information:
.. _typo3-versions:
.. _typo3-lifecycle:
.. _difference-core-extensions:
.. _announcement-updates:
.. _security-bulletins:

.. _types-of-security-threats:
.. _security-threats:
.. _information-disclosure:
.. _identity-theft:
.. _sql-injection:
.. _code-injection:
.. _authorization-bypass:
.. _xss:
.. _xsrf:

.. _general-guidelines:
.. _secury-passwords:
.. _update-operating-system:
.. _update-browser:
.. _communication:
.. _react-quickly:
.. _updating-typo3:
.. _updating-extensions:
.. _staging-servers:

.. _administrators:
.. _administrator-definition:
.. _administrator-rules:
.. _integrity-packages:
.. _file-directory-permissions:
.. _restrict-access-server-level:
.. _directory-indexing:
.. _database-access:
.. _mysql:
.. _mysql-password-username:
.. _mysql-external-access:
.. _mysql-administration-tools:
.. _encrypted-client-server-connection:
.. _data-classification:
.. _encryption-frontend:
.. _encryption-backend:
.. _encryption-other-services:
.. _other-services:
.. _administrator-further-actions:
.. _administrators-furtheractions-clickjacking:

.. _integrators:
.. _integrator-definition:
.. _integrator-rules:
.. _install-tool:
.. _encryption-key:
.. _global-typo3-options:
.. _cookieHttpOnly:
.. _cookiesecure:
.. _displayerrors:
.. _devipmask:
.. _enablebeuseriplock:
.. _filedenypattern:
.. _lockip:
.. _lockssl:
.. _ipmasklist:
.. _nophpscriptinclude:
.. _trustedHostsPattern:
.. _warningemailaddr:
.. _warningmode:
.. _security-warnings:
.. _reports-logs:
.. _access-privileges:
.. _backend:
.. _frontend:
.. _extensions:
.. _extension-state:
.. _extension-binaries:
.. _extension-remove:
.. _extension-lowlevel:
.. _extension-updates:
.. _extension-security:
.. _rsaauth:
.. _saltedpasswords:
.. _extension-other:
.. _typoscript:
.. _typoscript-sql-injection:
.. _typoscript-xss:
.. _typoscript-external-file:
.. _content-elements:

.. _editors:
.. _editor-definition:
.. _editor-rules:
.. _backend-access:
.. _be-username:
.. _be-password:
.. _administrator-privileges:
.. _notify-at-login:
.. _lock-to-ip:
.. _restrict-to-required-functions:
.. _secure-connection:
.. _logout:

.. _backups:
.. _backup-strategy:
.. _backup-components:
.. _backups-time-plan:
.. _backup-location:
.. _backups-further-considerations:

.. _detect-analyze-repair:
.. _detect:
.. _detect-manipulated-frontpage:
.. _detect-malicious-html-code:
.. _detect-embedded-elements:
.. _detect-unusual-traffic:
.. _detect-reports:
.. _detect-warnings:
.. _detect-leaked-credentials:
.. _take-offline:
.. _analyze:
.. _repair-restore:
.. _repair:
.. _restore:
.. _hack-further-actions:


====================
TYPO3 Security Guide
====================

.. attention::

   This document has been merged into :ref:`TYPO3 Explained <t3coreapi:security>`
   since core version 9.

.. rst-class:: horizbuttons-tip-xxl

- :ref:`This manual has moved <t3coreapi:security>`

*Older versions*
(`v8.7 </typo3cms/SecurityGuide/8.7/>`__):
Please refer to "Related Links" in the lower left corner of the page.