:navigation-title: Code Integrity .. include:: /Includes.rst.txt .. _security-integrity-packages: =============================== Verify integrity of TYPO3 code =============================== Ensuring that the TYPO3 source code has not been tampered with is very important for security reasons. TYPO3 can either be installed via Composer or by downloading a prebuilt package. Each method requires different integrity checks. .. _security-integrity-packages-composer: Composer-based installations ============================ When using Composer, TYPO3 and its dependencies are downloaded directly by Composer from trusted sources such as `packagist.org` and `packages.typo3.org`. To ensure source integrity: - Use official TYPO3 packages (for example :composer:`typo3/cms-base-distribution`) - Commit the :file:`composer.lock` file to track versions and sources - Keep Composer and your system's trusted certificate store (CA certificates) up to date to ensure secure HTTPS connections when downloading packages. Composer ensures a secure and verifiable dependency management workflow. It is recommended to run Composer locally or in a `CI pipeline `_, and `deploy `_ only the prepared files - including the :directory:`vendor/` directory - to the production environment. .. _security-integrity-packages-classic: Classic (non-Composer) installations ==================================== If installing TYPO3 via a downloaded archive (ZIP, tar.gz), verify the SHA2-256 checksum before extracting. Only download from the official site: `get.typo3.org `_. For details, see: `TYPO3 release integrity `_ Avoid vendor-provided or pre-installed packages unless you fully trust their source.