May 21, 2020

TYPO3 HTTP Referer Settings

TYPO3 Update leads to endless loop with incorrect referrer Settings. Installation to fix the issue.

TYPO3 HTTP Referer Settings

In the new TYPO3 10.4.2 or 9.5.17 Update are some security related changes. That can provoke trouble in some environments with the value of the referer. Especially because in is actual no proper error message.

To close a security issue (https://typo3.org/security/advisory/typo3-core-sa-2020-006) they intruced a check of the HTTP referrer field. Now it must have a proper value and is enforced for all relevant pages.

If you want to open the backend, the login will not work, but it will occur an error message that leads to the referrer field. But if you open the install tool, there will be an endless loop in the step "excecuting silent configuration updated". There is sadly acutal no error message.

If you want to change this default behaviour you have two way how you can turn of the check.

You can add the following line to your AdditionalConfiguration.php or add the option in you LocalConfiguration.php:
$GLOBALS['TYPO3_CONF_VARS']['SYS]['features'][‘security.backend.enforceReferrer’] = false;

Alternatively you can set this option in your Install Tool under Configuration. But be carefull, cause if you deactivate the check you get possible a security issue. You should only disable this in development environments or if you can not improve your reverse proxy.

Photo by Caspar Camille Rubin on Unsplash