[TASK] Update File integrity Security Guidelines (#5631)

* [TASK] Update File integrity Security Guidelines

Releases: main, 13.4. 12.4

* [TASK] Update File integrity Security Guidelines

Releases: main, 13.4. 12.4

* [TASK] Language checks

Releases: main

---------

Co-authored-by: Sarah McCarthy <[email protected]>

Author: linawolf

Documentation/Security/GuidelinesAdministrators/IntegrityOfTypo3Packages.rst

@@ -1,32 +1,49 @@
-.. include:: /Includes.rst.txt
-.. index::
-   Security guidelines; Checksums
-   Security guidelines; Package integrity
-.. _security-integrity-packages:
-
-===========================
-Integrity of TYPO3 Packages
-===========================
-
-In order to ensure that the downloaded TYPO3 package is an official
-package released by the TYPO3 developers, compare the `SHA2-256` checksum of
-the downloaded package with the checksum stated on the TYPO3 website,
-before you extract/install TYPO3. You find the `SHA2-256` checksums on
+:navigation-title: Code Integrity
+
+..  include:: /Includes.rst.txt
+..  _security-integrity-packages:
+
+===============================
+Verify integrity of TYPO3 code
+===============================
+
+Ensuring that the TYPO3 source code has not been tampered with is very important
+for security reasons. TYPO3 can either be installed via Composer or by downloading
+a prebuilt package. Each method requires different integrity checks.
+
+..  _security-integrity-packages-composer:
+
+Composer-based installations
+============================
+
+When using Composer, TYPO3 and its dependencies are downloaded directly by
+Composer from trusted sources such as `packagist.org` and `packages.typo3.org`.
+
+To ensure source integrity:
+
+-   Use official TYPO3 packages (for example :composer:`typo3/cms-base-distribution`)
+-   Commit the :file:`composer.lock` file to track versions and sources
+-   Keep Composer and your system's trusted certificate store (CA certificates)
+    up to date to ensure secure HTTPS connections when downloading packages.
+
+Composer ensures a secure and verifiable dependency management workflow. It is
+recommended to run Composer locally or in a
+`CI pipeline <https://docs.typo3.org/permalink/t3coreapi:ci-cd-for-typo3-projects>`_,
+and `deploy <https://docs.typo3.org/permalink/t3coreapi:deployment>`_ only the
+prepared files - including the :directory:`vendor/` directory -
+to the production environment.
+
+..  _security-integrity-packages-classic:
+
+Classic (non-Composer) installations
+====================================
+
+If installing TYPO3 via a downloaded archive (ZIP, tar.gz), verify the
+SHA2-256 checksum before extracting. Only download from the official site:
 `get.typo3.org <https://get.typo3.org>`_.
 
-Be careful when using pre-installed or pre-configured packages by
-other vendors: due to the nature and complexity of TYPO3 the system
-requires configuration. Some vendors offer download-able packages,
-sometimes including components such as Apache, MySQL, PHP and TYPO3,
-easy to extract and ready to launch. This is a comfortable way to set
-up a test or development environment very quickly but it is difficult
-to verify the integrity of the components – for example the integrity
-of TYPO3.
-
-A similar thing applies to web environments offered by hosting
-companies: system images sometimes include a bunch of software
-packages, including a CMS. It depends on the specific project and if
-you can trust the provider of these pre-installed images, systems,
-packages – but if you are in doubt, use the official TYPO3 packages
-only. For a production site in particular, you should trust the source
-code published at `get.typo3.org <https://get.typo3.org>`_ only.
+For details, see: `TYPO3 release integrity
+<https://docs.typo3.org/permalink/t3coreapi:release-integrity>`_
+
+Avoid vendor-provided or pre-installed packages unless you fully trust their
+source.

Documentation/Security/GuidelinesAdministrators/OtherServices.rst

@@ -1,36 +1,33 @@
+:navigation-title: Insecure Uploads
+
 .. include:: /Includes.rst.txt
 .. _security-other-services:
 
-==============
-Other Services
-==============
-
-System administrators should keep in mind that every "untrusted"
-script (e.g. PHP, perl, python script) or executable file inside the
-web server's document root is a security risk. By a correct and secure
-configuration, the internal security mechanisms of TYPO3 ensure that
-the CMS does not allow editors and other unprivileged users to place
-such code through the system (see chapter :ref:`Global TYPO3 configuration options
-<security-global-typo3-options>`).
-
-However, it is often seen that other services like `FTP`, `SFTP`, `SSH`,
-`WebDAV`, etc. are enabled to allow users (for example editors) to place
-files such as images, documents, etc. on the server, typically in the
-:file:`fileadmin/` folder. It is out of question that this might be seen as
-a convenient way to upload files and file transfers via `FTP` are
-simpler and faster to do. The main problem with this is that to enable
-"other services" with write access to the document root directory,
-bypasses the security measures mentioned above. A malicious PHP script
-for example could manipulate or destroy other files – maybe TYPO3 Core
-files. Sometimes access details of editors are stolen, intercepted or
-accidentally fallen into the wrong hands.
-
-The only recommendation from a security perspective is to abandon any
-service like `FTP`, `SFTP`, etc. which allows to upload files to the
-server by bypassing TYPO3.
-
-The TYPO3 Security Team and other IT security experts advance the view
-that **FTP is classified as insecure** in general. They have experienced
-that many websites have been hacked by a compromised client and/or unencrypted
-`FTP` connections and as a consequence, it strongly is advised that `FTP`
-must not be used at all.
+===========================
+Avoid insecure file uploads
+===========================
+
+Uploading untrusted scripts (e.g. PHP, Perl, Python) or executables into the
+web root is a major security risk. TYPO3 prevents this via backend restrictions
+(see :ref:`Global TYPO3 configuration options <security-global-typo3-options>`).
+
+These safeguards are bypassed if services like :abbr:`FTP (File Transfer Protocol)`,
+:abbr:`SFTP (SSH File Transfer Protocol)`, :abbr:`SSH (Secure Shell)`, or
+:abbr:`WebDAV (Web Distributed Authoring and Versioning)` allow direct file
+uploads—commonly into :file:`fileadmin/`.
+
+Such access can lead to:
+
+-   Upload of malicious scripts
+-   TYPO3 Core files being overwritten
+-   Abuse via leaked credentials
+
+Recommended actions:
+
+-   **Disable FTP/SFTP/SSH access** to the document root for users.
+-   **Use the TYPO3 backend** for file uploads.
+-   **Enforce secure upload policies** in the TYPO3 file storage configuration.
+
+..  warning::
+    The TYPO3 Security Team considers FTP to be insecure due to the lack of encryption.
+    **Do not use FTP under any circumstances.**