Task #28368
closed
Enhance default .htaccess settings
Added by Xavier Perseguers over 13 years ago.
Updated over 11 years ago.
Description
Idea popped up after seeing lots of Google results "polluted" by BE login forms being indexed.
TYPO3 could come out-of-the-box with some enhanced settings. We already provide default .htaccess settings and of course users of non-Apache server have to handle it manually but we could have some additional default settings, without going to deep. Here are some ideas:
- Restrict indexation to /typo3, /t3lib, ... does not make sense to allow it anyway
- Templates are commonly stored in /fileadmin/templates, restrict access to .ts, .txt, .html (non-processed configuration files)
We'll see if it makes sense at all.
- Priority changed from Should have to Could have
Well, putting that into robots.txt would probably fit better, wouldn't it?
What about #22599?
Just some thoughts:
deny access to fileadmin/templates/*.(txt|ts) for securing typoscript files in default templates folder
deny access to *.sql directly beneath typo3conf (which can be imported using the install tool)
I'll agree with Steffen G., use robots.txt
I'll suggest
User-agent: *
Disallow: /typo3
Disallow: /typo3temp
Disallow: /typo3conf
Disallow: /t3lib
And +1 for Rens Admiraals suggestion! :)
BUT this only works with TYPO3 being in the root folder of the document root. Nevertheless, I'm fine with adding a robots.txt with these rules to the introduction package and declare it as template (however, not comment the rules out).
+1 for the SQL thingy
Of course the robots.txt is the good choice for (trying) to prevent indexation, not .htaccess. I mixed up ideas here but anyway, we kept being tuned ;-)
A .htaccess rule for denying access to the _recycler_ folders would be cool. (If it works for all _recycler_ folders at all levels.)
This does the trick:
RewriteEngine on
RewriteRule _recycler_/ - [F]
Patch set 1 of change I94c09f50616af55cfdd9577097251692b2111ae7 has been pushed to the review server.
It is available at http://review.typo3.org/3462
Patch set 2 of change I94c09f50616af55cfdd9577097251692b2111ae7 has been pushed to the review server.
It is available at http://review.typo3.org/3462
- Status changed from New to Under Review
- Assignee set to Xavier Perseguers
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Change has been successfully cherry-picked as 5443c1bdd76848d9d638f8a536820b4c75c95ca2.
For completeness, configuration when using nginx instead of Apache is as follows:
server {
# your config here
## Security settings
## - Restrict access to deleted files in Recycler directories
## - Restrict access to TypoScript files in default directories
## - Restrict access to Private extension directories
location ~ /fileadmin/(.+/)?_recycler_/ { deny all; }
location ~* /fileadmin/templates/.+\.(txt|ts)$ { deny all; }
location ~ /typo3conf/ext/[^/]+/Resources/Private/ { deny all; }
## Default location
location / {
...
- Status changed from Resolved to Closed
- Target version deleted (
4.6.0-beta1)
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by 
Updated by 
Updated by 
Updated by 
Updated by