FE - frontend configuration

The following configuration variables can be used to configure settings for the TYPO3 frontend:

addAllowedPaths

addAllowedPaths
Type
list
Path
$GLOBALS['TYPO3_CONF_VARS']['FE']['addAllowedPaths']
Default
''

Additional relative paths where resources may be placed. Used in some frontend-related places for images and TypoScript. It should be prefixed with /. If not, then any path whose the first part is like this path will match. That is, myfolder/ , myarchive will match, for example, myfolder/, myarchive/, myarchive_one/, myarchive_2/, etc.

No check is done whether this directory actually exists in the root folder of the site.

debug

debug
Type
bool
Path
$GLOBALS['TYPO3_CONF_VARS']['FE']['debug']
Default
false

If enabled, the total parse time of the page is added as HTTP response header X-TYPO3-Parsetime. This can also be enabled/disabled via the TypoScript option config.debug = 0.

compressionLevel

compressionLevel
Type
int
Path
$GLOBALS['TYPO3_CONF_VARS']['FE']['compressionLevel']
Default
0

Determines output compression of FE output. Makes output smaller but slows down the page generation depending on the compression level. Requires

  • zlib in your PHP installation and
  • special rewrite rules for .css.gz and .js.gz (before version 12.0 the extension was .css.gzip and .js.gzip)

Please see EXT:install/Resources/Private/FolderStructureTemplateFiles/root-htaccess for an example. Range 1-9, where 1 is least compression and 9 is greatest compression. true as value will set the compression based on the PHP default settings (usually 5 ). Suggested and most optimal value is 5.

pageNotFoundOnCHashError

pageNotFoundOnCHashError
Type
bool
Path
$GLOBALS['TYPO3_CONF_VARS']['FE']['pageNotFoundOnCHashError']
Default
true

If TRUE, a page not found call is made when cHash evaluation error occurs, otherwise caching is disabled and page output is displayed.

pageUnavailable_force

pageUnavailable_force
Type
bool
Path
$GLOBALS['TYPO3_CONF_VARS']['FE']['pageUnavailable_force']
Default
false

If TRUE, every frontend page is shown as "unavailable". If the client matches [SYS][devIPmask], the page is shown as normal. This is useful during temporary site maintenance.

addRootLineFields

addRootLineFields
Type
list
Path
$GLOBALS['TYPO3_CONF_VARS']['FE']['addRootLineFields']
Default
''

Comma-list of fields from the pages-table. These fields are added to the select query for fields in the rootline.

checkFeUserPid

checkFeUserPid
Type
bool
Path
$GLOBALS['TYPO3_CONF_VARS']['FE']['checkFeUserPid']
Default
true

If set, the pid of fe_user logins must be sent in the form as the field pid and then the user must be located in the pid. If you unset this, you should change the fe_users username eval-flag uniqueInPid to unique in $TCA.

This will do $TCA[fe_users][columns][username][config][eval]= nospace,lower,required,unique;

loginRateLimit

loginRateLimit
Type
int
Path
$GLOBALS['TYPO3_CONF_VARS']['FE']['loginRateLimit']
Default
5

Maximum amount of login attempts for the time interval in [FE][loginRateLimitInterval], before further login requests will be denied. Setting this value to "0" will disable login rate limiting.

loginRateLimitInterval

loginRateLimitInterval
Type
string, PHP relative format
Path
$GLOBALS['TYPO3_CONF_VARS']['FE']['loginRateLimitInterval']
Default
'15 minutes'
allowedValues
'1 minute', '5 minutes', '15 minutes', '30 minutes'

Allowed time interval for the configured rate limit. Individual values using PHP relative formats can be set in config/system/additional.php.

loginRateLimitIpExcludeList

loginRateLimitIpExcludeList
Type
string
Path
$GLOBALS['TYPO3_CONF_VARS']['FE']['loginRateLimitIpExcludeList']
Default
''

IP addresses (with *-wildcards) that are excluded from rate limiting. Syntax similar to [BE][IPmaskList] and [BE][loginRateLimitIpExcludeList]. An empty value disables the exclude list check.

lockIP

lockIP
Type
int
Path
$GLOBALS['TYPO3_CONF_VARS']['FE']['lockIP']
Default
0
allowedValues
1 0 Default Do not lock Frontend User sessions to their IP address at all 1 Use the first part of the visitors IPv4 address (for example "192.") as part of the session locking of Frontend Users 2 Use the first two parts of the visitors IPv4 address (for example "192.168") as part of the session locking of Frontend Users 3 Use the first three parts of the visitors IPv4 address (for example "192.168.13") as part of the session locking of Frontend Users 4 Use the visitors full IPv4 address (for example "192.168.13.84") as part of the session locking of Frontend Users (highest security)

If activated, Frontend Users are locked to (a part of) their public IP ($_SERVER[REMOTE_ADDR]) for their session, if REMOTE_ADDR is an IPv4-address. Enhances security but may throw off users that may change IP during their session (in which case you can lower it). The integer indicates how many parts of the IP address to include in the check for the session.

Have also a look into the security guidelines.

lockIPv6

lockIPv6
Type
int
Path
$GLOBALS['TYPO3_CONF_VARS']['FE']['lockIPv6']
Default
0
allowedValues
1 0 Default: Do not lock Backend User sessions to their IP address at all 1 Use the first block (16 bits) of the editors IPv6 address (for example "2001") as part of the session locking of Backend Users 2 Use the first two blocks (32 bits) of the editors IPv6 address (for example "20010db8") as part of the session locking of Backend Users 3 Use the first three blocks (48 bits) of the editors IPv6 address (for example "20010db885a3") as part of the session locking of Backend Users 4 Use the first four blocks (64 bits) of the editors IPv6 address (for example "20010db885a308d3") as part of the session locking of Backend Users 5 Use the first five blocks (80 bits) of the editors IPv6 address (for example "20010db885a308d31319") as part of the session locking of Backend Users 6 Use the first six blocks (96 bits) of the editors IPv6 address (for example "20010db885a308d313198a2e") as part of the session locking of Backend Users 7 Use the first seven blocks (112 bits) of the editors IPv6 address (for example "20010db885a308d313198a2e0370") as part of the session locking of Backend Users 8 Use the visitors full IPv6 address (for example "20010db885a308d313198a2e03707344") as part of the session locking of Backend Users (highest security)

If activated, Frontend Users are locked to (a part of) their public IP ( $_SERVER[REMOTE_ADDR]) for their session, if REMOTE_ADDR is an IPv6-address. Enhances security but may throw off users that may change IP during their session (in which case you can lower it). The integer indicates how many parts of the IP address to include in the check for the session.

lifetime

lifetime
Type
int
Path
$GLOBALS['TYPO3_CONF_VARS']['FE']['lifetime']
Default
0

If greater than 0 and the option permalogin is greater or equal 0, the cookie of FE users will have a lifetime of the number of seconds this value indicates. Otherwise it will be a session cookie (deleted when browser is shut down). Setting this value to 604800 will result in automatic login of FE users during a whole week, 86400 will keep the FE users logged in for a day.

sessionTimeout

sessionTimeout
Type
int
Path
$GLOBALS['TYPO3_CONF_VARS']['FE']['sessionTimeout']
Default
6000

Server side session timeout for frontend users in seconds. Will be overwritten by the lifetime property if the lifetime is longer.

sessionDataLifetime

sessionDataLifetime
Type
int
Path
$GLOBALS['TYPO3_CONF_VARS']['FE']['sessionDataLifetime']
Default
86400

If greater than 0, the session data of an anonymous session will timeout and be removed after the number of seconds given (86400 seconds represents 24 hours).

permalogin

permalogin
Type
text
Path
$GLOBALS['TYPO3_CONF_VARS']['FE']['permalogin']
Default
0
-1
Permanent login for FE users is disabled
0
By default permalogin is disabled for FE users but can be enabled by a form control in the login form.
1
Permanent login is by default enabled but can be disabled by a form control in the login form.
2
Permanent login is forced to be enabled.

In any case, permanent login is only possible if [FE][lifetime] lifetime is greater than 0.

cookieDomain

cookieDomain
Type
text
Path
$GLOBALS['TYPO3_CONF_VARS']['FE']['cookieDomain']
Default
''

Same as $TYPO3_CONF_VARS[SYS][cookieDomain]<_typo3ConfVars_sys_cookieDomain> but only for FE cookies. If empty, $TYPO3_CONF_VARS[SYS][cookieDomain] value will be used.

cookieName

cookieName
Type
text
Path
$GLOBALS['TYPO3_CONF_VARS']['FE']['cookieName']
Default
'fe_typo_user'

Sets the name for the cookie used for the front-end user session

cookieSameSite

cookieSameSite
Type
text
Path
$GLOBALS['TYPO3_CONF_VARS']['FE']['cookieSameSite']
Default
'lax'
allowedValues
1 lax Cookies set by TYPO3 are only available for the current site, third-party integrations are not allowed to read cookies, except for links and simple HTML forms strict Cookies sent by TYPO3 are only available for the current site, never shared to other third-party packages none Allow cookies set by TYPO3 to be sent to other sites as well, please note - this only works with HTTPS connections

Indicates that the cookie should send proper information where the cookie can be shared (first-party cookies vs. third-party cookies) in TYPO3 Frontend.

defaultUserTSconfig

defaultUserTSconfig
Type
multiline
Path
$GLOBALS['TYPO3_CONF_VARS']['FE']['defaultUserTSconfig']
Default
''

Deprecated since version 12.1

This setting will be removed with TYPO3 v13. More information can be found in the changelog.

Enter lines of default frontend user/group TSconfig.

defaultTypoScript_constants

defaultTypoScript_constants
Type
multiline
Path
$GLOBALS['TYPO3_CONF_VARS']['FE']['defaultTypoScript_constants']
Default
''

Enter lines of default TypoScript, constants-field.

defaultTypoScript_setup

defaultTypoScript_setup
Type
multiline
Path
$GLOBALS['TYPO3_CONF_VARS']['FE']['defaultTypoScript_setup']
Default
''

Enter lines of default TypoScript, setup-field.

additionalAbsRefPrefixDirectories

additionalAbsRefPrefixDirectories
Type
text
Path
$GLOBALS['TYPO3_CONF_VARS']['FE']['additionalAbsRefPrefixDirectories']
Default
''

Enter additional directories to be prepended with absRefPrefix. Directories must be comma-separated. TYPO3 already prepends the following directories public/_assets/, public/typo3temp/ and all local storages including public/fileadmin/.

In legacy installations without Composer typo3conf/ext and typo3/ are also prefixed.

enable_mount_pids

enable_mount_pids
Type
bool
Path
$GLOBALS['TYPO3_CONF_VARS']['FE']['enable_mount_pids']
Default
true

If enabled, the mount_pid feature allowing symlinks in the page tree (for frontend operation) is allowed.

hidePagesIfNotTranslatedByDefault

hidePagesIfNotTranslatedByDefault
Type
bool
Path
$GLOBALS['TYPO3_CONF_VARS']['FE']['hidePagesIfNotTranslatedByDefault']
Default
false

If enabled, pages that have no translation will be hidden by default. Basically this will inverse the effect of the page localization setting "Hide page if no translation for current language exists" to "Show page even if no translation exists"

eID_include

eID_include
Type
array
Path
$GLOBALS['TYPO3_CONF_VARS']['FE']['eID_include']
Default
[]

Array of key/value pairs where the key is tx_[ext]_[optional suffix] and value is relative filename of class to include. Key is used as "?eID=" for \TYPO3\CMS\Frontend\Http\RequestHandlerRequestHandler to include the code file which renders the page from that point.

(Useful for functionality that requires a low initialization footprint, for example frontend Ajax applications)

disableNoCacheParameter

disableNoCacheParameter
Type
bool
Path
$GLOBALS['TYPO3_CONF_VARS']['FE']['disableNoCacheParameter']
Default
false

If set, the no_cache request parameter will become ineffective. This is currently still an experimental feature and will require a website only with plugins that dont use this parameter. However, using "&amp;no_cache=1" should be avoided anyway because there are better ways to disable caching for a certain part of the website (see COA_INT/USER_INT<t3tsref:cobj-coa-int>).

additionalCanonicalizedUrlParameters

additionalCanonicalizedUrlParameters
Type
array
Path
$GLOBALS['TYPO3_CONF_VARS']['FE']['additionalCanonicalizedUrlParameters']
Default
[]

The given parameters will be included when calculating canonicalized URL

cacheHash

cacheHash
Path
$GLOBALS['TYPO3_CONF_VARS']['FE']['cacheHash']

cachedParametersWhiteList

cachedParametersWhiteList
Type
array
Path
$GLOBALS['TYPO3_CONF_VARS']['FE']['cacheHash']['cachedParametersWhiteList']
Default
[]

Only the given parameters will be evaluated in the cHash calculation. Example:

config/system/additional.php | typo3conf/system/additional.php
$GLOBALS['TYPO3_CONF_VARS']['FE']['cacheHash']['cachedParametersWhiteList'][] = 'tx_news_pi1[uid]';
Copied!

requireCacheHashPresenceParameters

requireCacheHashPresenceParameters
Type
array
Path
$GLOBALS['TYPO3_CONF_VARS']['FE']['cacheHash']['requireCacheHashPresenceParameters']
Default
[]

Configure Parameters that require a cHash. If no cHash is given but one of the parameters are set, then TYPO3 triggers the configured cHash Error behaviour

excludedParameters

excludedParameters
Type
array
Path
$GLOBALS['TYPO3_CONF_VARS']['FE']['cacheHash']['excludedParameters']
Default
['L', 'pk_campaign', 'pk_kwd', 'utm_source', 'utm_medium', 'utm_campaign', 'utm_term', 'utm_content', 'gclid', 'fbclid']

The given parameters will be ignored in the cHash calculation. Example:

config/system/additional.php | typo3conf/system/additional.php
$GLOBALS['TYPO3_CONF_VARS']['FE']['cacheHash']['excludedParameters'] = ['L','tx_search_pi1[query]'];
Copied!

excludedParametersIfEmpty

excludedParametersIfEmpty
Type
array
Path
$GLOBALS['TYPO3_CONF_VARS']['FE']['cacheHash']['excludedParametersIfEmpty']
Default
[]

Configure Parameters that are only relevant for the cHash if there's an associated value available. Set excludeAllEmptyParameters to true to skip all empty parameters.

excludeAllEmptyParameters

excludeAllEmptyParameters
Type
bool
Path
$GLOBALS['TYPO3_CONF_VARS']['FE']['cacheHash']['excludeAllEmptyParameters']
Default
false

If true, all parameters which are relevant for cHash are only considered if they are non-empty.

enforceValidation

enforceValidation
Type
bool
Path
$GLOBALS['TYPO3_CONF_VARS']['FE']['cacheHash']['enforceValidation']
Default
false (for existing installations), true (for new installations)

New in version 10.4.35/11.5.23/12.2

If this option is enabled, the same validation is used to calculate a "cHash" value as when a valid or invalid "cHash" parameter is given to a request, even when no "cHash" is given.

Details:

Since TYPO3 v9 and the PSR-15 middleware concept, cHash validation has been moved outside of plugins and rendering code inside a validation middleware to check if a given "cHash" acts as a signature of other query parameters in order to use a cached version of a frontend page.

However, the check only provided information about an invalid "cHash" in the query parameters. If no "cHash" was given, the only option was to add a "required list" (global TYPO3 configuration option requireCacheHashPresenceParameters), but not based on the final excludedParameters for the cache hash calculation of the given query parameters.

workspacePreviewLogoutTemplate

workspacePreviewLogoutTemplate
Type
text
Path
$GLOBALS['TYPO3_CONF_VARS']['FE']['workspacePreviewLogoutTemplate']
Default
''

If set, points to an HTML file relative to the TYPO3_site root which will be read and outputted as template for this message. Example fileadmin/templates/template_workspace_preview_logout.html.

Inside you can put the marker %1$s to insert the URL to go back to. Use this in <a href="%1$s">Go back...</a> links.

versionNumberInFilename

versionNumberInFilename
Type
bool
Path
$GLOBALS['TYPO3_CONF_VARS']['FE']['versionNumberInFilename']
Default
false

Changed in version 12.3

The setting was previously evaluated as a "string" value, having three possible options:

  • ""
  • "querystring"
  • "embed"

When updating TYPO3 and accessing the maintenance area, an explicitly set option is migrated automatically. If this is not possible - for example, the configuration is set in AdditionalConfiguration.php - the value is always migrated on-the-fly when the setting is evaluated.

If enabled, included CSS and JS files loaded in the TYPO3 frontend will have the timestamp embedded in the filename, for example, filename.1676276352.js. This will make browsers and proxies reload the files, if they change (thus avoiding caching issues).

If disabled, the last modification date of the file will be appended as a query string.

contentRenderingTemplates

contentRenderingTemplates
Type
array
Path
$GLOBALS['TYPO3_CONF_VARS']['FE']['contentRenderingTemplates']
Default
[]

Array to define the TypoScript parts that define the main content rendering.

Extensions like fluid_styled_content provide content rendering templates. Other extensions like felogin or indexed search extend these templates and their TypoScript parts are added directly after the content templates.

See EXT:fluid_styled_content/ext_localconf.php and EXT:core/Classes/TypoScript/IncludeTree/TreeBuilder.php

ContentObjects

ContentObjects
Type
array
Path
$GLOBALS['TYPO3_CONF_VARS']['FE']['ContentObjects']

Changed in version 12.0

The global variable $GLOBALS['TYPO3_CONF_VARS']['FE']['ContentObjects'] has no effect anymore in TYPO3 v12.0 and above. It can be defined to achieve backward compatibility with TYPO3 version 11 and below.

TypoScript content objects (cObject) like TEXT or HMENU are registered as services:

EXT:my_extension/Configuration/Services.yaml
services:
   # ...
   MyCompany\MyPackage\ContentObject\CustomContentObject:
     tags:
       - name: frontend.contentobject
         identifier: 'MY_OBJ'
Copied!

typolinkBuilder

typolinkBuilder
Type
array
Path
$GLOBALS['TYPO3_CONF_VARS']['FE']['typolinkBuilder']

Matches the LinkService implementations for generating URLs and link texts via typolink. This configuration value can be used to register a custom link builder for the frontend generation of links.

Default value of $GLOBALS['TYPO3_CONF_VARS']['FE']['typolinkBuilder']
[
    'page' => \TYPO3\CMS\Frontend\Typolink\PageLinkBuilder::class,
    'file' => \TYPO3\CMS\Frontend\Typolink\FileOrFolderLinkBuilder::class,
    'folder' => \TYPO3\CMS\Frontend\Typolink\FileOrFolderLinkBuilder::class,
    'url' => \TYPO3\CMS\Frontend\Typolink\ExternalUrlLinkBuilder::class,
    'email' => \TYPO3\CMS\Frontend\Typolink\EmailLinkBuilder::class,
    'record' => \TYPO3\CMS\Frontend\Typolink\DatabaseRecordLinkBuilder::class,
    'telephone' => \TYPO3\CMS\Frontend\Typolink\TelephoneLinkBuilder::class,
    'unknown' => \TYPO3\CMS\Frontend\Typolink\LegacyLinkBuilder::class,
]
Copied!

passwordHashing

passwordHashing

className

className
Type
string
Path
$GLOBALS['TYPO3_CONF_VARS']['FE']['passwordHashing']['className']
Default
\TYPO3\CMS\Core\Crypto\PasswordHashing\Argon2iPasswordHash::class
allowedValues
1 \TYPO3\CMS\Core\Crypto\PasswordHashing\Argon2iPasswordHash::class Good password hash mechanism. Used by default if available. \TYPO3\CMS\Core\Crypto\PasswordHashing\Argon2idPasswordHash::class Good password hash mechanism. \TYPO3\CMS\Core\Crypto\PasswordHashing\BcryptPasswordHash::class Good password hash mechanism. \TYPO3\CMS\Core\Crypto\PasswordHashing\Pbkdf2PasswordHash::class Fallback hash mechanism if argon and bcrypt are not available. \TYPO3\CMS\Core\Crypto\PasswordHashing\PhpassPasswordHash::class Fallback hash mechanism if none of the above are available.

options

options
Type
array
Path
$GLOBALS['TYPO3_CONF_VARS']['FE']['passwordHashing']['options']
Default
[]

Special settings for specific hashes.

passwordPolicy

passwordPolicy

New in version 12.0

$GLOBALS['TYPO3_CONF_VARS']['FE']['passwordPolicy']

$GLOBALS['TYPO3_CONF_VARS']['FE']['passwordPolicy']
Type
string
Default
default

Defines the password policy in frontend context.

exposeRedirectInformation

exposeRedirectInformation
Type
bool
Path
$GLOBALS['TYPO3_CONF_VARS']['FE']['exposeRedirectInformation']
Default
false

If set, redirects executed by TYPO3 publicly expose the page ID in the HTTP header. As this is an internal information about the TYPO3 system, it should only be enabled for debugging purposes.

contentSecurityPolicyReportingUrl

contentSecurityPolicyReportingUrl
Path

$GLOBALS['TYPO3_CONF_VARS']['FE']['contentSecurityPolicyReportingUrl']

name

typo3-conf-vars-fe-contentSecurityPolicyReportingUrl

type

string

Default

''

New in version 12.3

Configure the reporting HTTP endpoint of Content Security Policy violations in the frontend; if it is empty, the TYPO3 endpoint will be used.

Example:

$GLOBALS['TYPO3_CONF_VARS']['FE']['contentSecurityPolicyReportingUrl']
    = 'https://csp-violation.example.org/';
Copied!