Set up secure TYPO3 web directory containing only public assets

v0.2.9 2019-05-30 15:24 UTC


This is a composer package that uses typo3/cms-composer-installers that aims to create a web directory for TYPO3 which only contains the entry scripts and links to public assets. No configuration, no log files will be exposed any more.

This package currently only works with typo3/cms ^8.7.8 or higher.

Also note, that with this package installed, only explicitly required system extension are copied to the web directory. Require them in your root composer.json or the composer.json of any installed package.

All required system extensions are already required with this package:

    "typo3/cms-backend": "^8.7",
    "typo3/cms-core": "^8.7",
    "typo3/cms-extbase": "^8.7",
    "typo3/cms-extensionmanager": "^8.7",
    "typo3/cms-filelist": "^8.7",
    "typo3/cms-fluid": "^8.7",
    "typo3/cms-frontend": "^8.7",
    "typo3/cms-install": "^8.7",
    "typo3/cms-lang": "^8.7",
    "typo3/cms-recordlist": "^8.7",
    "typo3/cms-saltedpassword": "^8.7"


composer require helhum/typo3-secure-web


Put the following in your root composer.json file:

    "extra": {
        "typo3/cms": {
            "root-dir": "private",
            "web-dir": "public"

This package will then set up the web server document root inside the public folder and TYPO3 inside the private folder. The private folder will look familiar and will contain typo3, typo3conf, fileadmin, typo3temp, uploads folders, while public will only have the entry scripts and links to fileadmin, typo3temp/assets and , Resources/Public of all installed (system) extensions.

Note that uploads will not be exposed by default. Depending on your setup, you might want to consider linking some or all folders to public folder as well.

Important note

While it would still be possible to require typo3/cms (the complete TYPO3 package) for TYPO3 version 8.7, it is not recommended any more and won't work with TYPO3 9.