$GLOBALS[‘TYPO3_CONF_VARS’][‘BE’]

$GLOBALS[‘TYPO3_CONF_VARS’][‘BE’][‘fluidPageModule’]

fluidPageModule
Type:bool
Default:true

$GLOBALS[‘TYPO3_CONF_VARS’][‘BE’][‘languageDebug’]

languageDebug
Type:bool
Default:false

If enabled, language labels will be shown with additional debug information.

$GLOBALS[‘TYPO3_CONF_VARS’][‘BE’][‘fileadminDir’]

fileadminDir
Type:text
Default:‘fileadmin/’

Path to the primary directory of files for editors. This is relative to the public web dir. DefaultStorage will be created with that configuration. Do not access manually but via \TYPO3\CMS\Core\Resource\ResourceFactory::getDefaultStorage().

$GLOBALS[‘TYPO3_CONF_VARS’][‘BE’][‘lockRootPath’]

lockRootPath
Type:text
Default:‘’

This path is used to evaluate if paths outside of the public web path should be allowed. Ending slash required!

$GLOBALS[‘TYPO3_CONF_VARS’][‘BE’][‘userHomePath’]

userHomePath
Type:text
Default:‘’

Combined folder identifier of the directory where TYPO3 backend users have their home-dirs. A combined folder identifier looks like this: [storageUid]:[folderIdentifier]. For Example 2:users/. A home for backend user 2 would be: 2:users/2/. Ending slash required!

$GLOBALS[‘TYPO3_CONF_VARS’][‘BE’][‘groupHomePath’]

groupHomePath
Type:text
Default:‘’

Combined folder identifier of the directory where TYPO3 backend groups have their home-dirs. A combined folder identifier looks like this: [storageUid]:[folderIdentifier]. For example 2:groups/. A home for backend group 1 would be: 2:groups/1/. Ending slash required!

$GLOBALS[‘TYPO3_CONF_VARS’][‘BE’][‘userUploadDir’]

userUploadDir
Type:text
Default:‘’

Suffix to the user home dir which is what gets mounted in TYPO3. For example if the user dir is ../123_user/ and this value is /upload then ../123_user/upload gets mounted.

$GLOBALS[‘TYPO3_CONF_VARS’][‘BE’][‘warning_email_addr’]

warning_email_addr
Type:text
Default:‘’

Email address that will receive notifications whenever an attempt to login to the Install Tool is made. This address will also receive warnings whenever more than 3 failed backend login attempts (regardless of user) are detected within an hour.

$GLOBALS[‘TYPO3_CONF_VARS’][‘BE’][‘warning_mode’]

warning_mode
Type:

int

Default:

0

AllowedValues:
0:

Default: Do not send notification-emails upon backend-login

1:

Send a notification-email every time a backend user logs in

2:

Send a notification-email every time an ADMIN backend user logs in

Send emails to warning_email_addr upon backend-login

$GLOBALS[‘TYPO3_CONF_VARS’][‘BE’][‘passwordReset’]

passwordReset
Type:bool
Default:true

Enable password reset functionality on the backend login for TYPO3 Backend users. Can be disabled for systems where only LDAP or OAuth login is allowed.

Password reset will then still work on CLI and for admins in the backend.

$GLOBALS[‘TYPO3_CONF_VARS’][‘BE’][‘passwordResetForAdmins’]

passwordResetForAdmins
Type:bool
Default:true

Enable password reset functionality for TYPO3 Administrators. This will affect all places such as backend login or CLI. Disable this option for increased security.

$GLOBALS[‘TYPO3_CONF_VARS’][‘BE’][‘requireMfa’]

requireMfa
Type:

int

Default:

0

AllowedValues:
0:

Default: Do not require multi-factor authentication

1:

Require multi-factor authentication for all users

2:

Require multi-factor authentication only for non-admin users

3:

Require multi-factor authentication only for admin users

4:

Require multi-factor authentication only for system maintainers

Define users which should be required to set up multi-factor authentication.

$GLOBALS[‘TYPO3_CONF_VARS’][‘BE’][‘recommendedMfaProvider’]

recommendedMfaProvider
Type:text
Default:‘totp’

Set the identifier of the multi-factor authentication provider, recommended for all users.

$GLOBALS[‘TYPO3_CONF_VARS’][‘BE’][‘lockIP’]

lockIP
Type:

int

Default:

0

AllowedValues:
0:

Default: Do not lock Backend User sessions to their IP address at all

1:

Use the first part of the editors IPv4 address (for example “192.”) as part of the session locking of Backend Users

2:

Use the first two parts of the editors IPv4 address (for example “192.168”) as part of the session locking of Backend Users

3:

Use the first three parts of the editors IPv4 address (for example “192.168.13”) as part of the session locking of Backend Users

4:

Use the editors full IPv4 address (for example “192.168.13.84”) as part of the session locking of Backend Users (highest security)

Session IP locking for backend users. See [FE][lockIP] for details.

$GLOBALS[‘TYPO3_CONF_VARS’][‘BE’][‘lockIPv6’]

lockIPv6
Type:

int

Default:

0

AllowedValues:
0:

Default: Do not lock Backend User sessions to their IP address at all

1:

Use the first block (16 bits) of the editors IPv6 address (for example “2001:”) as part of the session locking of Backend Users

2:

Use the first two blocks (32 bits) of the editors IPv6 address (for example “2001:0db8”) as part of the session locking of Backend Users

3:

Use the first three blocks (48 bits) of the editors IPv6 address (for example “2001:0db8:85a3”) as part of the session locking of Backend Users

4:

Use the first four blocks (64 bits) of the editors IPv6 address (for example “2001:0db8:85a3:08d3”) as part of the session locking of Backend Users

5:

Use the first five blocks (80 bits) of the editors IPv6 address (for example “2001:0db8:85a3:08d3:1319”) as part of the session locking of Backend Users

6:

Use the first six blocks (96 bits) of the editors IPv6 address (for example “2001:0db8:85a3:08d3:1319:8a2e”) as part of the session locking of Backend Users

7:

Use the first seven blocks (112 bits) of the editors IPv6 address (for example “2001:0db8:85a3:08d3:1319:8a2e:0370”) as part of the session locking of Backend Users

8:

Use the editors full IPv6 address (for example “2001:0db8:85a3:08d3:1319:8a2e:0370:7344”) as part of the session locking of Backend Users (highest security)

Session IPv6 locking for backend users. See [FE][lockIPv6] for details.

$GLOBALS[‘TYPO3_CONF_VARS’][‘BE’][‘sessionTimeout’]

sessionTimeout
Type:int
Default:28800

Session time out for backend users in seconds. The value must be at least 180 to avoid side effects. Default is 28.800 seconds = 8 hours.

$GLOBALS[‘TYPO3_CONF_VARS’][‘BE’][‘IPmaskList’]

IPmaskList
Type:list
Default:‘’

Lets you define a list of IP-numbers (with *-wildcards) that are the ONLY ones allowed access to ANY backend activity. On error an error header is sent and the script exits. Works like IP masking for users configurable through TSconfig.

See syntax for that (or look up syntax for the function \TYPO3\CMS\Core\Utility\GeneralUtility::cmpIP())

$GLOBALS[‘TYPO3_CONF_VARS’][‘BE’][‘lockSSL’]

lockSSL
Type:bool
Default:false

If set, the backend can only be operated from an SSL-encrypted connection (https). A redirect to the SSL version of a URL will happen when a user tries to access non-https admin-urls

$GLOBALS[‘TYPO3_CONF_VARS’][‘BE’][‘lockSSLPort’]

lockSSLPort
Type:int
Default:0

Use a non-standard HTTPS port for lockSSL. Set this value if you use lockSSL and the HTTPS port of your webserver is not 443.

$GLOBALS[‘TYPO3_CONF_VARS’][‘BE’][‘cookieDomain’]

cookieDomain
Type:text
Default:‘’

Same as $TYPO3_CONF_VARS[SYS][cookieDomain]<typo3ConfVars_sys_cookieDomain> but only for BE cookies. If empty, $TYPO3_CONF_VARS[SYS][cookieDomain] value will be used.

$GLOBALS[‘TYPO3_CONF_VARS’][‘BE’][‘cookieName’]

cookieName:
Type:text
Default:‘be_typo_user’

Set the name for the cookie used for the back-end user session

$GLOBALS[‘TYPO3_CONF_VARS’][‘BE’][‘cookieSameSite’]

cookieSameSite
Type:

text

Default:

‘strict’

AllowedValues:
lax:

Cookies set by TYPO3 are only available for the current site, third-party integrations are not allowed to read cookies, except for links and simple HTML forms

strict:

Cookies sent by TYPO3 are only available for the current site, never shared to other third-party packages

none:

Allow cookies set by TYPO3 to be sent to other sites as well, please note - this only works with HTTPS connections

Indicates that the cookie should send proper information where the cookie can be shared (first-party cookies vs. third-party cookies) in TYPO3 Backend.

Removed: $GLOBALS[‘TYPO3_CONF_VARS’][‘BE’][‘loginSecurityLevel’]

Deprecated since version 11.3: This option was removed with version 11.3. The only possible value has been ‘normal’. This behaviour stays unchanged. When this option has been set in your LocalConfiguration.php or AdditionalConfiguration.php files, they are automatically removed when accessing the admin tool or system maintenance area.

$GLOBALS[‘TYPO3_CONF_VARS’][‘BE’][‘showRefreshLoginPopup’]

showRefreshLoginPopup
Type:bool
Default:false

If set, the Ajax relogin will show a real popup window for relogin after the count down. Some auth services need this as they add custom validation to the login form. If its not set, the Ajax relogin will show an inline relogin window.

$GLOBALS[‘TYPO3_CONF_VARS’][‘BE’][‘adminOnly’]

adminOnly
Type:int
Default:0
AllowedValues:-1: Total shutdown for maintenance purposes 0: Default: All users can access the TYPO3 Backend 1: Only administrators / system maintainers can log in, CLI interface is disabled as well 2: Only administrators / system maintainers have access to the TYPO3 Backend, CLI executions are allowed as well

Restricts access to the TYPO3 Backend - especially useful when doing maintenance or updates

$GLOBALS[‘TYPO3_CONF_VARS’][‘BE’][‘disable_exec_function’]

disable_exec_function
Type:bool
Default:false

Dont use exec() function (except for ImageMagick which is disabled by [GFX][im]<typo3ConfVars_gfx_im> =0). If set, all file operations are done by the default PHP-functions. This is necessary under Windows! On Unix the system commands by exec() can be used, unless this is disabled.

$GLOBALS[‘TYPO3_CONF_VARS’][‘BE’][‘compressionLevel’]

compressionLevel
Type:text
Default:0
Range:0-9

Determines output compression of BE output. Makes output smaller but slows down the page generation depending on the compression level. Requires

  • zlib in your PHP installation and
  • special rewrite rules for .css.gzip and .js.gzip

(please see _.htacces for an example). Range 1-9, where 1 is least compression and 9 is greatest compression. true as value will set the compression based on the PHP default settings (usually 5). Suggested and most optimal value is 5.

$GLOBALS[‘TYPO3_CONF_VARS’][‘BE’][‘installToolPassword’]

installToolPassword
Type:string
Default:‘’

The hash of the install tool password.

$GLOBALS[‘TYPO3_CONF_VARS’][‘BE’][‘checkStoredRecords’]

checkStoredRecords
Type:bool
Default:true

If set, values of the record are validated after saving in DataHandler. Disable only if using a database in strict mode.

$GLOBALS[‘TYPO3_CONF_VARS’][‘BE’][‘checkStoredRecordsLoose’]

checkStoredRecordsLoose
Type:bool
Default:true

If set, make a loose comparison ( equals 0) when validating record values after saving in DataHandler.

$GLOBALS[‘TYPO3_CONF_VARS’][‘BE’][‘defaultUserTSconfig’]

defaultUserTSconfig
Type:text

Contains the default user TSconfig.

$GLOBALS[‘TYPO3_CONF_VARS’][‘BE’][‘defaultPageTSconfig’]

defaultPageTSconfig
Type:text

Contains the default page TSconfig.

$GLOBALS[‘TYPO3_CONF_VARS’][‘BE’][‘defaultPermissions’]

defaultPermissions
Type:array
Default:[]

$GLOBALS[‘TYPO3_CONF_VARS’][‘BE’][‘defaultUC’]

defaultUC
Type:array
Default:[]

$GLOBALS[‘TYPO3_CONF_VARS’][‘BE’][‘defaultPermissions’]

customPermOptions
Type:array
Default:[]

Array with sets of custom permission options. Syntax is:

'key' => array(
   'header' => 'header string, language split',
   'items' => array(
      'key' => array('label, language split','icon reference', 'Description text, language split')
   )
)

Keys cannot contain characters any of the following characters: :|,.

$GLOBALS[‘TYPO3_CONF_VARS’][‘BE’][‘fileDenyPattern’]

fileDenyPattern
Type:text
Default:‘’

A perl-compatible and JavaScript-compatible regular expression (without delimiters /) that - if it matches a filename - will deny the file upload/rename or whatever.

For security reasons, files with multiple extensions have to be denied on an Apache environment with mod_alias, if the filename contains a valid php handler in an arbitrary position. Also, “.htaccess” files have to be denied. Matching is done case-insensitive.

Default value is stored in PHP constant FILE_DENY_PATTERN_DEFAULT

$GLOBALS[‘TYPO3_CONF_VARS’][‘BE’][‘interfaces’]

interfaces
Type:text
Default:backend

This determines which interface options are available in the login prompt

(All options: “backend,frontend”)

$GLOBALS[‘TYPO3_CONF_VARS’][‘BE’][‘explicitADmode’]

explicitADmode
Type:

dropdown

Default:

‘explicitDeny’

AllowedValues:
explicitAllow:

Administrators have to explicitly grant access for all editors and groups

explicitDeny:

Editors have access to all content types by default, access has to explicitly restricted

Sets the general allow/deny mode for Content Element Types (CTypes) when granting or restricting access for backend users

$GLOBALS[‘TYPO3_CONF_VARS’][‘BE’][‘flexformForceCDATA’]

flexformForceCDATA
Type:bool
Default:0

If set, will add CDATA to Flexform XML. Some versions of libxml have a bug that causes HTML entities to be stripped from any XML content and this setting will avoid the bug by adding CDATA.

$GLOBALS[‘TYPO3_CONF_VARS’][‘BE’][‘versionNumberInFilename’]

versionNumberInFilename
Type:

bool

Default:

false

If enabled, included CSS and JS files loaded in the TYPO3 Backend will have the timestamp embedded in the filename, ie. filename.1269312081.js . This will make browsers and proxies reload the files if they change (thus avoiding caching issues).

IMPORTANT: This feature requires extra .htaccess rules to work (please refer to the typo3/sysext/install/Resources/Private/FolderStructureTemplateFiles/root-htaccess file shipped with TYPO3).

If disabled the last modification date of the file will be appended as a query-string.

$GLOBALS[‘TYPO3_CONF_VARS’][‘BE’][‘debug’]

debug
Type:bool
Default:false

If enabled, the login refresh is disabled and pageRenderer is set to debug mode. Furthermore the fieldname is appended to the label of fields. Use this to debug the backend only!

$GLOBALS[‘TYPO3_CONF_VARS’][‘BE’][‘toolbarItems’]

toolbarItems
Type:array
Default:[]

Registered toolbar items classes

$GLOBALS[‘TYPO3_CONF_VARS’][‘BE’][‘HTTP’]

HTTP
Type:

array

Default:
[
   'Response' => [
      'Headers' => ['clickJackingProtection' => 'X-Frame-Options: SAMEORIGIN']
   ]
]

$GLOBALS[‘TYPO3_CONF_VARS’][‘BE’][‘passwordHashing’][‘className’]

passwordHashing className
Type:

dropdown

Default:

‘TYPO3CMSCoreCryptoPasswordHashingArgon2iPasswordHash’

AllowedValues:
‘TYPO3CMSCoreCryptoPasswordHashingArgon2iPasswordHash’:

‘Good password hash mechanism. Used by default if available.’

‘TYPO3CMSCoreCryptoPasswordHashingArgon2idPasswordHash’:

‘Good password hash mechanism.’

‘TYPO3CMSCoreCryptoPasswordHashingBcryptPasswordHash’:

‘Good password hash mechanism.’

‘TYPO3CMSCoreCryptoPasswordHashingPbkdf2PasswordHash’:

‘Fallback hash mechanism if argon and bcrypt are not available.’

‘TYPO3CMSCoreCryptoPasswordHashingPhpassPasswordHash’:

‘Fallback hash mechanism if none of the above are available.’

$GLOBALS[‘TYPO3_CONF_VARS’][‘BE’][‘passwordHashing’][‘options’]

passwordHashing options
Type:array
Default:[]

Special settings for specific hashes.