BE - backend configuration 

Path to the main file directory for editors. This is relative to the public web directory. DefaultStorage will be created with this configuration. Do not access manually but via \TYPO3\CMS\Core\Resource\StorageRepository::getDefaultStorage().

Defines the location of the flag file LOCK_BACKEND. The file temporarily restricts backend access to prevent unauthorized changes or during critical updates.

These absolute paths are used to check if paths outside of the project path should be allowed. This restriction also applies to the local driver in the File Abstraction Layer.

This option supports an array of root path prefixes to allow multiple storage locations to be listed.

See also the Security bulletin "Path Traversal in TYPO3 File Abstraction Layer Storages".

Combined folder identifier pointing to the directory where TYPO3 backend users have their home-dirs. A combined folder identifier looks like this: [storageUid]:[folderIdentifier], for example, 2:users/. The home directory identifier of backend user 2 would be: 2:users/2/. End slash required!

Combined folder identifier pointing to the directory where TYPO3 backend groups have their home-dirs. A combined folder identifier looks like this: [storageUid]:[folderIdentifier], for example, 2:groups/. The home directory identifier of backend group 1 would be: 2:groups/1/. End slash required!

Suffix which as added to the user home dir path when mounted in TYPO3. For example, if the user dir is ../123_user/ and the suffix is /upload then ../123_user/upload will be mounted.

Email address that will receive notifications whenever there is an attempt to login to the Install Tool. This address will also receive warnings when more than 3 failed backend login attempts are detected within an hour (regardless of user).

See also security guidelines.

Send emails to warning_email_addr upon backend-login.

See also security guidelines.

Enable password reset in the backend login for TYPO3 Backend users. Can be disabled for systems where only LDAP or OAuth login is allowed.

Password reset will still work via CLI and for admins in the backend.

Enable password reset for TYPO3 Administrators. This will affect both backend login and CLI. Disable this option for increased security.

0:

Default: Do not require multi-factor authentication

1:

Require multi-factor authentication for all users

2:

Require multi-factor authentication only for non-admin users

3:

Require multi-factor authentication only for admin users

4:

Require multi-factor authentication only for system maintainers

Define users that should be required to set up multi-factor authentication.

Set the identifier of the multi-factor authentication provider. Recommended for all users.

Maximum amount of login attempts in time interval [BE][loginRateLimitInterval] before further login requests will be denied. Setting this value to "0" will disable login rate limiting.

Time interval for the configured rate limit. Individual values using PHP relative formats can be set in config/system/additional.php.

IP addresses (with *-wildcards) that are excluded from rate limiting. Syntax similar to [BE][IPmaskList]. An empty value disables the exclude list check.

0:

Default: Do not lock Backend User sessions to their IP address

1:

Use the first part of the editors IPv4 address (for example "192.") as part of the session locking of Backend Users

2:

Use the first two parts of the editors IPv4 address (for example "192.168") as part of the session locking of Backend Users

3:

Use the first three parts of the editors IPv4 address (for example "192.168.13") as part of the session locking of Backend Users

4:

Use the editors full IPv4 address (for example "192.168.13.84") as part of the session locking of Backend Users (highest security)

Session IP locking for backend users. See [FE][lockIP] for details.

See also security guidelines.

0:

Default: Do not lock Backend User sessions to their IP address

1:

Use the first block (16 bits) of the editors IPv6 address (for example "2001:") as part of the session locking of Backend Users

2:

Use the first two blocks (32 bits) of the editors IPv6 address (for example "2001:0db8") as part of the session locking of Backend Users

3:

Use the first three blocks (48 bits) of the editors IPv6 address (for example "2001:0db8:85a3") as part of the session locking of Backend Users

4:

Use the first four blocks (64 bits) of the editors IPv6 address (for example "2001:0db8:85a3:08d3") as part of the session locking of Backend Users

5:

Use the first five blocks (80 bits) of the editors IPv6 address (for example "2001:0db8:85a3:08d3:1319") as part of the session locking of Backend Users

6:

Use the first six blocks (96 bits) of the editors IPv6 address (for example "2001:0db8:85a3:08d3:1319:8a2e") as part of the session locking of Backend Users

7:

Use the first seven blocks (112 bits) of the editors IPv6 address (for example "2001:0db8:85a3:08d3:1319:8a2e:0370") as part of the session locking of Backend Users

8:

Use the editors full IPv6 address (for example "2001:0db8:85a3:08d3:1319:8a2e:0370:7344") as part of the session locking of Backend Users (highest security)

Session IPv6 locking for backend users. See [FE][lockIPv6] for details.

Session timeout for backend users (in seconds). The value must be at least 180 to avoid side effects. The default is 28800 seconds = 8 hours.

Lets you define a list of IP addresses (with *-wildcards) that are the ONLY IP addresses that are allowed access to ANY backend activity. On error, an error header is sent and the script exits. Works like IP masking for users configurable through TSconfig.

See syntax for that (or look up syntax for the function \TYPO3\CMS\Core\Utility\GeneralUtility::cmpIP())

See also security guidelines.

If set, the backend can only be accessed via an SSL-encrypted connection (https). If a user tries to access non-https admin-urls, they will be redirected to the SSL version of the URL.

See also security guidelines.

Use a non-standard HTTPS port for lockSSL. Set this value if you use lockSSL and the HTTPS port of your webserver is not 443.

Same as $TYPO3_CONF_VARS[SYS][cookieDomain] but for BE cookies. If empty, the $TYPO3_CONF_VARS[SYS][cookieDomain] value will be used.

Set the cookie name for the back-end user session.

lax:

Cookies set by TYPO3 are only available for the current site. Third-party integrations are not allowed to read cookies, except for links and simple HTML forms

strict:

Cookies set by TYPO3 are only available for the current site. They are never shared with third-party packages

none:

Allow cookies set by TYPO3 to be sent to other sites as well. Note: this only works with HTTPS connections

Configures how cookies can be shared in the TYPO3 Backend (first-party cookies vs. third-party cookies)

If set, the Ajax relogin will show a popup window for relogin after a countdown. Some authorization services need this as they add custom validation to the login form. If it is not set, the Ajax relogin will show an inline relogin window.

Allowed values

-1 - +2

-1:

Total shutdown for maintenance purposes

0:

Default: All users can access the TYPO3 Backend

1:

Only administrators / system maintainers can log in and CLI interface is disabled

2:

Only administrators / system maintainers have access to the TYPO3 Backend. CLI executions are allowed

Restricts access to the TYPO3 Backend. Useful when doing maintenance or updates

Don't use exec() function (except for ImageMagick which is disabled by [GFX][im]<typo3ConfVars_gfx_im> =0). If set, all file operations are done by the default PHP functions. This is necessary under Windows! On Unix system commands using exec() can be used, unless this is disabled.

Determines output compression of BE output. Output is smaller but page generation slows down depending on compression level. Requires

• zlib in your PHP installation and
• special rewrite rules for .css.gz and .js.gz (before version 12.0 the extension was .css.gzip and .js.gzip)

Please see EXT:install/Resources/Private/FolderStructureTemplateFiles/root-htaccess for an example. The range is 1-9, where 1 is least compression and 9 is greatest compression. Setting the value to true will set the compression based on the PHP default settings (usually 5 ). The recommended and most optimal value is 5.

Hash of the install tool password. See also Enabling and accessing the Install Tool.

This option defines the default page permissions (show, edit, delete, new, editcontent). The following order applies:

• defaultPermissions from \TYPO3\CMS\Core\DataHandling\PagePermissionAssembler
• $GLOBALS['TYPO3_CONF_VARS']['BE']['defaultPermissions'] (the option described here)
• Page TSconfig via TCEMAIN.permissions

Example (with default permissions):

$GLOBALS['TYPO3_CONF_VARS']['BE']['defaultPermissions'] = [
    'user' => 'show,edit,delete,new,editcontent',
    'group' => 'show,edit,new,editcontent',
    'everybody' => '',
];

If you want to deviate from the default permissions, for example, by changing the 'everybody' key, just modify that key:

$GLOBALS['TYPO3_CONF_VARS']['BE']['defaultPermissions'] = [
    'everybody' => 'show',
];

Defines default user settings. The following order applies:

• uc_default in \TYPO3\CMS\Core\Authentication\BackendUserAuthentication
• $GLOBALS['TYPO3_CONF_VARS']['BE']['defaultUC'] (the option described here)
• User TSconfig via setup

Example (with default user settings):

$GLOBALS['TYPO3_CONF_VARS']['BE']['defaultUC'] = [
    'emailMeAtLogin' => 0,
    'titleLen' => 50,
    'edit_RTE' => '1',
    'edit_docModuleUpload' => '1',
];

Visit the setup chapter of the User TSconfig guide for a list of available options.

Array with sets of custom permission options. The syntax is:

'key' => array(
    'header' => 'header string, language split',
    'items' => array(
       'key' => array('label, language split','icon reference', 'Description text, language split')
    )
)

Keys cannot contain any of the following characters: :|,.

A perl and JavaScript-compatible regular expression that will block ('deny') operations on files with matching filenames (without delimiters /), for example, file upload, rename, etc.

For security reasons, files with multiple extensions in an Apache environment must be blocked using mod_alias, if the filename contains a valid php handler in an arbitrary position. Also, ".htaccess" files must be blocked. Matching is case-insensitive.

The default value is stored in class constant \TYPO3\CMS\Core\Resource\Security\FileNameValidator::FILE_DENY_PATTERN_DEFAULT.

See also security guidelines.

If enabled, CSS and JS files loaded in the TYPO3 Backend will have a timestamp in their filename, i.e. filename.1269312081.js . This will force browsers and proxies to reload the files if they change (thus avoiding caching issues).

IMPORTANT: This feature requires extra .htaccess rules in order to work (please refer to the typo3/sysext/install/Resources/Private/FolderStructureTemplateFiles/root-htaccess file shipped with TYPO3).

If disabled, the last modification date of the file will be appended as a query-string.

If enabled, login refresh is disabled and pageRenderer is set to debug mode. Also, fieldnames are appended to field labels. Use this to debug the backend only!

Disables the $GLOBALS[TYPO3_CONF_VARS][BE][compressionLevel] setting.

Set HTTP headers to be sent with each backend request. Keys other than ['Response']['Headers'] are ignored.

Default configuration:

[
    'Response' => [
        'Headers' => [
            'clickJackingProtection' => 'X-Frame-Options: SAMEORIGIN',
            'strictTransportSecurity' => 'Strict-Transport-Security: max-age=31536000',
            'avoidMimeTypeSniffing' => 'X-Content-Type-Options: nosniff',
            'referrerPolicy' => 'Referrer-Policy: strict-origin-when-cross-origin',
        ],
    ],
]

Defines the password policy in the backend context.

Load additional CSS files for the TYPO3 backend interface. This can be set for a site or in an extension ext_localconf.php file.

Add a specific stylesheet:

$GLOBALS['TYPO3_CONF_VARS']['BE']['stylesheets']['my_extension']
    = 'EXT:my_extension/Resources/Public/Css/myfile.css';

Add all stylesheets from a folder:

$GLOBALS['TYPO3_CONF_VARS']['BE']['stylesheets']['my_extension']
    = 'EXT:my_extension/Resources/Public/Css/';

Configure the reporting HTTP endpoint of Content Security Policy violations in the backend; if it is empty, the TYPO3 endpoint will be used.

Setting this configuration to '0' disables Content Security Policy reporting. If the endpoint is still called, the server-side process responds with a 403 HTTP error message.

If defined, site-specific configuration in config/sites/my_site/csp.yaml takes precedence over the global configuration.

// Set a custom endpoint for Content Security Policy reporting
$GLOBALS['TYPO3_CONF_VARS']['BE']['contentSecurityPolicyReportingUrl']
    = 'https://csp-violation.example.org/';

// Disables Content Security Policy reporting
$GLOBALS['TYPO3_CONF_VARS']['BE']['contentSecurityPolicyReportingUrl'] = '0';

Use $GLOBALS['TYPO3_CONF_VARS']['FE']['contentSecurityPolicyReportingUrl'] to configure Content Security Policy reporting for the frontend.

A custom backend entry point can be configured by specifying a custom URL path or domain name.

$GLOBALS['TYPO3_CONF_VARS']['BE']['entryPoint'] = '/my-specific-path';