Work Package #49943
Defining the TYPO3 Neos Security Policy¶
- Target Audience: everyone using Neos
- Responsible: Andreas Förthner, Helmut Hummel
- Implemented by: Andreas Förthner, Helmut Hummel
- Version: must have for 1.0
There are lots of vulnerabilities in the Neos backend currently. In order to provide a secure product and avoid security issues and thereby distrust from users, we need to invest time in securing it.
In order to deliver a secure release we need to fix known security issues and tests if there are others.
- Policy for restricting access to controller actions
Not part of this work package:¶
- Content security for nodes (see #45010)
- Since editors have access to the html node type, we will not check any XSS, which can be introduced by editors