Typo3 sensitive files
Description
The TYPO3 CMS installation exposes sensitive configuration or system files that should not be publicly accessible. These files may include database configuration files, installation scripts, or other system files that contain technical details about the application's setup and environment. Public access to these files violates security best practices and increases the attack surface of the application.
Remediation
Restrict public access to sensitive TYPO3 files and directories by implementing proper web server access controls.
For Nginx, add the following location blocks to your server configuration to deny access to sensitive files:
location ~ /\. {
deny all;
}
location ~* /(typo3conf|typo3temp|uploads|fileadmin)/.*\.(php|sql|sh|bak|swp|old|log)$ {
deny all;
}
location ~* /composer\.(json|lock)$ {
deny all;
}
For Apache, ensure the following directives are in your .htaccess or virtual host configuration:
<FilesMatch "\.(sql|bak|swp|old|log|sh)$">
Require all denied
</FilesMatch>
<FilesMatch "composer\.(json|lock)$">
Require all denied
</FilesMatch>
Additionally, remove any unnecessary installation files, backup files, or test files from the production environment. Verify that the TYPO3 installation wizard has been properly disabled after initial setup.