Skip to main content

Improving Security

Using Defbu Authenticator

On a small website (not this one), I registered about 1500 calls of the Typo3 login page per week. This are 1490 too much, probably caused by people wanting to break in. It is helpful to avoid user names like admin, it also is helpful that Typo3 takes some seconds to confirm a login, but two-factor-authentication (2fa) helps more. At the time of this writing, there is not much choice for using 2fa with Typo3 version 10.

So I chose defbu authenticator. This extension comes with exactly zero lines of documentation. It works like this: You need google authenticator on your smartphone. When the authenticator is installed, admin users find the authenticator logo at the bottom of the system division of the tools panel. Go there, click on Activate, scan the QR code, and you are done.

For other users (editors) to have them enable 2fa on their own, there is more work to be done. Go to backend user, edit your users, go to access and grant them access to defbu authenticator. You have to do this per user, not per user group.

When your smartphone gets defective and you have not backed up your 2fa data, you get in trouble. If you still got phpmyadmin access to your website data, you can reset 2fa by changing the contens of be_users. The two last columns contain the enablement state of 2fa and the secret key. This should be enough insurance to get started now.

Addendum

I have read that Typo3 11 will feature several advanced login features, so 2fa will propably soon come out of the box.

Adopting CSP

You should check the Mozilla Observatory for your domain and you should try to get an 'A'. Getting 'B+' is easily achievable with Typo3. The normal way to improve your rating with a site running on Apache is to edit the .htaccess-File. I added the following lines to an <IfModule mod_headers.c> section:

# willadt Absicherung
  Header always set Strict-Transport-Security  "max-age=31536000; \
    includeSubDomains; preload"
  Header always set X-Frame-Options     "SAMEORIGIN"
  Header always set X-XSS-Protection    "1; mode=block"
  Header always set Content-Security-Policy "default-src https: ;\
     object-src 'none' ; img-src 'self' data: ; \
     base-uri 'self'; frame-ancestors 'self' ; \
     style-src 'self' 'unsafe-inline' ;\
     script-src 'self' 'unsafe-eval' 'unsafe-inline' ; \
     form-action 'self' ; \
     font-src 'self' fonts.gstatic.com; "

If your hosting provider does not offer mod_headers.c, you can use Typoscript for the same results. I added the following lines to the setup section of my template:

config.additionalHeaders {
10 {
    header = X-Content-Type-Options: nosniff
    # replace previous headers with the same name?
    replace = 1
  }
  20 {
    header = X-Frame-Options: SAMEORIGIN
    replace = 1
  }
  30 {
     header = X-XSS-Protection: 1; mode=block
    replace = 1
  }
  40 {
    header = Content-Security-Policy: default-src https: ; object-src 'none' ; img-src 'self' data: ; base-uri 'self'; frame-ancestors 'self' ;       style-src 'self' 'unsafe-inline' ; script-src 'self' 'unsafe-eval' 'unsafe-inline' ; form-action 'self' ; font-src 'self' fonts.gstatic.com;
    replace = 1
  }
  50 {
      header = Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
  }
}

Unfortunately, you can't use braces to split the CSP line. Oh, before I forget: You have to check your site, perhaps you have to loosen CSP restrictions.

By the way, my strategy for getting the correct settings is:

  1. Consult Mozilla observatory.
  2. Implement recommendations, if not ruled out
  3. Open your browser's development console.
  4. Check your site. Eatch the development console.
  5. Loosen restrictions if anything does not work. Rule out the recommendations causing trouble.
  6. Go to step 1.