Attention
TYPO3 v11 has reached end-of-life as of October 31th 2024 and is no longer being maintained. Use the version switcher on the top left of this page to select documentation for a supported version of TYPO3.
Need more time before upgrading? You can purchase Extended Long Term Support (ELTS) for TYPO3 v11 here: TYPO3 ELTS.
Content security policy
Content security policy (CSP_) is an added layer of security that helps to detect and mitigate certain types of attacks, including cross-site scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement to the distribution of malware.
According to TYPO3-PSA-2019-010 authenticated users - but not having
administrator privileges - are allowed to upload files to their granted
file mounts (e.g. fileadmin/
in most cases). This also includes the
possibility to upload potential malicious code in HTML or SVG files
(using JavaScript, injecting cross-site scripting vulnerabilities).
To mitigate these potential scenarios it is advised to either
deny uploading files as described in TYPO3-PSA-2019-010 (which might be
impractical for some sites) or add content security policy headers for
these directories - basically all public available base directories of
file storages (sys_
).
The following example sends a corresponding CSP header for any file
accessed via https://
:
# placed in fileadmin/.htaccess on Apache 2.x webserver
<IfModule mod_headers.c>
Header set Content-Security-Policy "default-src 'self'; script-src 'none'; style-src 'none'; object-src 'none';"
</IfModule>
For nginx webservers, the following configuration example can be used to send
a CSP header for any file accessed via https://
:
map $request_uri $csp_header {
~^/fileadmin/ "default-src 'self'; script-src 'none'; style-src 'none'; object-src 'none';";
}
server {
# Add strict CSP header depending on mapping (fileadmin only)
add_header Content-Security-Policy $csp_header;
# ... other add_header declarations can follow here
}
The nginx example configuration uses a map, since top level add_
declarations will be overwritten if add_
is used in sublevels
(e.g. location
) declarations.
CSP rules can be verified with a CSP-Evaluator