TYPO3-Documentation
diff --git a/‎Documentation/Security/GuidelinesAdministrators/RestrictAccessToFiles.rst‎
Lines changed: 137 additions & 169 deletions b/‎Documentation/Security/GuidelinesAdministrators/RestrictAccessToFiles.rst‎
Lines changed: 137 additions & 169 deletions
@@ -1,171 +1,139 @@
-.. include:: /Includes.rst.txt
-.. index::
-   Security guidelines; Restrict file access
-   Security guidelines; Web servers
-.. _security-restrict-access-server-level:
-
-==========================================
-Restrict access to files on a server-level
-==========================================
-
-This is a controversial topic: Some experts recommend to restrict the
-access to specific files on a server-level by using Apache's
-`FilesMatch` directive for example. Such files could be files with the
-endings :file:`.bak`, :file:`.tmp`, :file:`.sql`, :file:`.old`, etc. in their
-file names. The purpose of this restriction is, that even if backup files or
-database dump files are accidentally stored in the DocRoot directory of the
-web server, they cannot be downloaded.
-
-The downside of this measure is, that this is not the solution of the
-problem but a workaround only. The right recommendation would be not
-to store sensitive files (such as backups, etc.) in the DocRoot
-directory at all – instead of trying to address the issue by
-restricting the access to certain file names (keep in mind that you
-cannot predict which file names could occur in the future).
-
-
-Verification of access restrictions
-===================================
-
-Administrators should *test and verify* file access to these files are actually denied.
-The following list provides some files as an example that should not be retrievable
-directly by using HTTP requests:
-
-* :samp:`https://example.org/.git/index`
-* :samp:`https://example.org/INSTALL.md`
-* :samp:`https://example.org/INSTALL.txt`
-* :samp:`https://example.org/ChangeLog`
-* :samp:`https://example.org/composer.json`
-* :samp:`https://example.org/composer.lock`
-* :samp:`https://example.org/vendor/autoload.php`
-* :samp:`https://example.org/typo3_src/Build/package.json`
-* :samp:`https://example.org/typo3_src/bin/typo3`
-* :samp:`https://example.org/typo3_src/INSTALL.md`
-* :samp:`https://example.org/typo3_src/INSTALL.txt`
-* :samp:`https://example.org/typo3_src/ChangeLog`
-* :samp:`https://example.org/typo3_src/vendor/autoload.php`
-* :samp:`https://example.org/typo3conf/system/settings.php`
-* :samp:`https://example.org/typo3conf/system/additional.php`
-* :samp:`https://example.org/typo3temp/var/log/`
-* :samp:`https://example.org/typo3temp/var/session/`
-* :samp:`https://example.org/typo3temp/var/tests/`
-* :samp:`https://example.org/typo3/sysext/core/composer.json`
-* :samp:`https://example.org/typo3/sysext/core/ext_tables.sql`
-* :samp:`https://example.org/typo3/sysext/core/Configuration/Services.yaml`
-* :samp:`https://example.org/typo3/sysext/extbase/ext_typoscript_setup.txt`
-* :samp:`https://example.org/typo3/sysext/extbase/ext_typoscript_setup.typoscript`
-* :samp:`https://example.org/typo3/sysext/felogin/Configuration/FlexForms/Login.xml`
-* :samp:`https://example.org/typo3/sysext/backend/Resources/Private/Language/locallang.xlf`
-* :samp:`https://example.org/typo3/sysext/backend/Tests/Unit/Utility/Fixtures/clear.gif`
-* :samp:`https://example.org/typo3/sysext/belog/Configuration/TypoScript/setup.txt`
-* :samp:`https://example.org/typo3/sysext/belog/Configuration/TypoScript/setup.typoscript`
-
-The list above is probably not complete. However, if general deny rules are in place links
-provided above should not be accessible anymore and result in a HTTP `403` error response.
-
+:navigation-title: Restrict File Access
+
+..  include:: /Includes.rst.txt
+..  _security-restrict-access-server-level:
+
+============================================
+Restrict access to files at the server level
+============================================
+
+TYPO3 installations can either use a classic mode (non-Composer) or a
+Composer-based approach. File access and web server configuration differ
+significantly between these setups. This chapter outlines recommendations
+for both cases.
+
+..  contents:: Table of contents
+
+..  _security-restrict-access-server-level-composer:
+
+Composer-based installations
+============================
+
+For Composer-based TYPO3 installations, the public document root is typically
+the :file:`public/` directory. All web-accessible files are
+placed in this folder, while all sensitive and internal application files
+(e.g., :file:`vendor/`, :file:`.git/`, configuration files) are stored outside
+the document root by default.
+
+This layout significantly reduces the risk of accidental exposure of
+sensitive files, eliminating the need for complex blacklisting rules.
+
+**Recommendations for Composer-based installations:**
+
+-   Ensure the web server document root points to the :file:`public/`
+    directory only.
+-   Verify that all non-public files (e.g., :file:`composer.json`, :file:`.env`,
+    :file:`vendor/`, :file:`config/`) are outside of this directory.
+-   Keep your :file:`public/.htaccess` (Apache) or server config (NGINX/IIS)
+    files updated to deny access to any critical files inside the public folder.
+-   Store downloadable files that are only intended for authenticated users in
+    `File storage <https://docs.typo3.org/permalink/t3coreapi:fal-administration-storages>`_
+    located outside the document root. Deliver them programmatically to
+    authenticated users, for example using extensions like
+    :composer:`leuchtfeuer/secure-downloads`.
+
+..  _security-restrict-access-server-level-classic:
+
+Classic-mode installations
+==========================
+
+In classic TYPO3 installations (without Composer), all files are contained in the
+web root directory. This increases the risk of accidental exposure of internal
+files. For example, temporary files such as backups or logs may become
+accessible unless explicitly protected.
+
+**Restricting access to sensitive files**
+
+Some experts recommend denying access to certain file types (e.g.,
+:file:`.bak`, :file:`.tmp`, :file:`.sql`, :file:`.old`) using web server rules
+like Apache's `FilesMatch` directive. This helps prevent downloads of
+sensitive files that have accidentally been placed in the document root.
+
+However, this is a workaround — not a real solution. The proper approach is to
+ensure sensitive files are never stored in the web root at all. Blocking access
+by file name patterns is unreliable, as future file names cannot be predicted.
+
+..  _security-restrict-access-server-level-verification:
+
+Verification of access restrictions in Classic-mode installations
+-----------------------------------------------------------------
+
+Administrators must *verify* that access to sensitive files is properly denied.
+Attempting to access any of the following files should result in an HTTP `403`
+error:
+
+*   :samp:`https://example.org/.git/index`
+*   :samp:`https://example.org/INSTALL.md`
+*   :samp:`https://example.org/INSTALL.txt`
+*   :samp:`https://example.org/ChangeLog`
+*   :samp:`https://example.org/composer.json`
+*   :samp:`https://example.org/composer.lock`
+*   :samp:`https://example.org/vendor/autoload.php`
+*   :samp:`https://example.org/typo3_src/Build/package.json`
+*   :samp:`https://example.org/typo3_src/bin/typo3`
+*   :samp:`https://example.org/typo3_src/INSTALL.md`
+*   :samp:`https://example.org/typo3_src/INSTALL.txt`
+*   :samp:`https://example.org/typo3_src/ChangeLog`
+*   :samp:`https://example.org/typo3_src/vendor/autoload.php`
+*   :samp:`https://example.org/typo3conf/system/settings.php`
+*   :samp:`https://example.org/typo3conf/system/additional.php`
+*   :samp:`https://example.org/typo3temp/var/log/`
+*   :samp:`https://example.org/typo3temp/var/session/`
+*   :samp:`https://example.org/typo3temp/var/tests/`
+*   :samp:`https://example.org/typo3/sysext/core/composer.json`
+*   :samp:`https://example.org/typo3/sysext/core/ext_tables.sql`
+*   :samp:`https://example.org/typo3/sysext/core/Configuration/Services.yaml`
+*   :samp:`https://example.org/typo3/sysext/extbase/ext_typoscript_setup.txt`
+*   :samp:`https://example.org/typo3/sysext/extbase/ext_typoscript_setup.typoscript`
+*   :samp:`https://example.org/typo3/sysext/felogin/Configuration/FlexForms/Login.xml`
+*   :samp:`https://example.org/typo3/sysext/backend/Resources/Private/Language/locallang.xlf`
+*   :samp:`https://example.org/typo3/sysext/backend/Tests/Unit/Utility/Fixtures/clear.gif`
+*   :samp:`https://example.org/typo3/sysext/belog/Configuration/TypoScript/setup.txt`
+*   :samp:`https://example.org/typo3/sysext/belog/Configuration/TypoScript/setup.typoscript`
+
+
+..  _security-restrict-access-server-level-htaccess:
 
 Apache and Microsoft IIS web servers
-====================================
-
-To increase protection of TYPO3 instances, the Core Team however decided to
-install default web server configuration files under certain
-circumstances: If an Apache web server is detected by the web based installation
-procedure, a default :file:`.htaccess` file is written to the document root, and if
-a Microsoft IIS web server is detected, a default :file:`web.config` file is written
-to the document root. These files contain web server configurations to deny direct web
-access to a series of common file types and directories, for instance version control system
-directories like :file:`.git/`, all private template directories like :file:`Resources/Private/`
-and common package files like :file:`composer.json <extension-composer-json>`.
-
-
-This "black list" approach needs maintenance: The Core Team tries to keep the template files
-:file:`.htaccess` and :file:`web.config` updated. If running Apache or IIS, administrators
-should compare their specific version with the reference files found at
-:t3src:`install/Resources/Private/FolderStructureTemplateFiles/root-htaccess`
-and :t3src:`install/Resources/Private/FolderStructureTemplateFiles/root-web-config`
-and adapt or update local versions if needed.
-
-See :ref:`<maintain-htaccess>` for details on maintaining the file after a major
-version upgrade.
-
-
-NGINX web servers
-=================
-
-Administrators running the popular web server `NGINX <https://www.nginx.com/>`_ need to
-take additional measures: NGINX does not support an approach like Apache or IIS to configure
-access by putting files into the web document directories - the TYPO3 install procedure can
-not install good default files and administrators must merge deny patterns into the web
-servers virtual host configuration. A typical example looks like this:
-
-.. code-block:: nginx
-
-    server {
-
-        # ...
-
-        # Prevent clients from accessing hidden files (starting with a dot)
-        # This is particularly important if you store .htpasswd files in the site hierarchy
-        # Access to `/.well-known/` is allowed.
-        # https://www.mnot.net/blog/2010/04/07/well-known
-        # https://tools.ietf.org/html/rfc5785
-        location ~* /\.(?!well-known\/) {
-            deny all;
-        }
-
-        # Prevent clients from accessing to backup/config/source files
-            location ~* (?:\.(?:bak|conf|dist|fla|in[ci]|log|psd|sh|sql|sw[op])|~)$ {
-            deny all;
-        }
-
-        # TYPO3 - Block access to Composer files
-        location ~* composer\.(?:json|lock) {
-            deny all;
-        }
-
-        # TYPO3 - Block access to flexform files
-        location ~* flexform[^.]*\.xml {
-            deny all;
-        }
-
-        # TYPO3 - Block access to language files
-        location ~* locallang[^.]*\.xlf {
-            deny all;
-        }
-
-        # TYPO3 - Block access to static typoscript files
-        location ~* ext_conf_template\.txt|ext_typoscript_constants\.(?:txt|typoscript)|ext_typoscript_setup\.(?:txt|typoscript) {
-            deny all;
-        }
-
-        # TYPO3 - Block access to miscellaneous protected files
-        location ~* /.*\.(?:bak|co?nf|cfg|ya?ml|ts|typoscript|dist|fla|in[ci]|log|sh|sql)$ {
-            deny all;
-        }
-
-        # TYPO3 - Block access to recycler and temporary directories
-        location ~ _(?:recycler|temp)_/ {
-            deny all;
-        }
-
-        # TYPO3 - Block access to configuration files stored in fileadmin
-        location ~ fileadmin/(?:templates)/.*\.(?:txt|ts|typoscript)$ {
-            deny all;
-        }
-
-        # TYPO3 - Block access to libraries, source and temporary compiled data
-        location ~ ^(?:vendor|typo3_src|typo3temp/var) {
-            deny all;
-        }
-
-        # TYPO3 - Block access to protected extension directories
-        location ~ (?:typo3conf/ext|typo3/sysext|typo3/ext)/[^/]+/(?:Configuration|Resources/Private|Tests?|Documentation|docs?)/ {
-            deny all;
-        }
-
-        # ...
-
-    }
-
-The config example above has been taken from `ddev
-<https://github.com/drud/ddev/blob/f2171f390a3af8d4a85954105e8aa68b8bcab5ac/containers/ddev-webserver/files/etc/nginx/nginx-site-typo3.conf>`_.
+------------------------------------
+
+In classic mode, TYPO3 automatically creates default web server config files
+(:file:`.htaccess` for Apache, :file:`web.config` for IIS) to deny access to
+common sensitive files and directories.
+
+These blacklist-style rules require ongoing maintenance. Administrators should
+regularly compare their config files with the TYPO3 reference templates:
+
+*   :t3src:`install/Resources/Private/FolderStructureTemplateFiles/root-htaccess`
+*   :t3src:`install/Resources/Private/FolderStructureTemplateFiles/root-web-config`
+
+See :ref:`<maintain-htaccess>` for updating config files after major version
+upgrades.
+
+..  _security-restrict-access-server-level-nginx:
+
+NGINX Web Servers configuration (both installation modes)
+=========================================================
+
+NGINX does not support `.htaccess` or similar per-directory configuration
+so TYPO3 cannot install default protection automatically. Instead, administrators
+must include appropriate deny rules in the virtual host configuration.
+
+A sample configuration is provided by DDEV:
+
+..  literalinclude:: _codesnippets/_nginx.config
+    :language: plaintext
+    :caption:  nginx-site-typo3.conf
+
+This example is taken from `DDEV webserver config
+<https://github.com/ddev/ddev/blob/6a7655c178f5961666bb9c9efd10442314f6749c/pkg/ddevapp/webserver_config_assets/nginx-site-typo3.conf>`_.