Idea Title
Web application firewall - EXT:firewall
What is my idea about?
Times are tough. Websites are increasingly becoming the target of attackers — whether through automated bots or individuals. Classic attack vectors such as SQL injections, XSS, or brute force attempts are still widely used, and although there are already solutions to mitigate them, these often require access to the server infrastructure (e.g., fail2ban) or rely on external services like CDN-based WAFs. Both approaches are often too complex, too expensive, or simply not feasible in managed hosting environments where developers have little control over the server setup. This is where EXT:firewall comes into play. The idea is to bring a firewall concept directly into the TYPO3 application layer. Instead of depending on external infrastructure, the extension should allow TYPO3 to evaluate requests at a very early stage and decide whether they are valid or potentially malicious. This is done through a modular rule-based system: each rule can increase an “attack score” or whitelist requests. If a certain score threshold is exceeded, the request can be blocked immediately, logged, or handled in another flexible way. The concept is inspired by existing projects such as antonioribeiro/firewall for Laravel, but tailored to the needs and ecosystem of TYPO3. None of the available solutions fit TYPO3 directly, and having a native TYPO3 extension will significantly improve accessibility and adoption. To make the approach even more sustainable, the core framework could be implemented as a standalone Composer package without a direct dependency on TYPO3. This would allow the project to be used in other PHP ecosystems as well. TYPO3 would then simply consume the package through EXT:firewall. This approach has two major benefits: Contributions and improvements from other projects and communities can flow back into the package. The TYPO3 ecosystem benefits from shared knowledge and tested security mechanisms, while still offering TYPO3-specific integration. The architecture of EXT:firewall will be modular and performant: Handlers perform synchronous checks during a request. They must be highly efficient and can block or allow requests immediately. RequestProcessors run asynchronously to evaluate requests, assign “evil points,” and store them in a database. Analyzers then aggregate and evaluate request history from the database. If thresholds are exceeded, they trigger blocking measures. BlockAdapters are responsible for enforcing blocks. These could range from simple TYPO3-based denials to writing .htaccess rewrite rules or storing IP patterns in Redis for ultra-fast handling on subsequent requests. This structure makes EXT:firewall both flexible and extensible, allowing developers and integrators to add custom rules and adapters to match their security needs.
What do I want to achieve by the end of Q4 2025?
Deliver a first stable version of EXT:firewall that provides the framework for registering validation rules, processors, and block adapters. The extension should already include: * A set of basic rules (e.g., simple IP blacklisting, request rate limiting, and suspicious parameter checks). * Core Handlers for synchronous checks. * A minimal but extendable RequestProcessor and Analyzer workflow. * At least one BlockAdapter (e.g., a MySQL database stored blocker). Some of the more advanced ideas (e.g., .htaccess writers or Redis-based blocking) will be defined as feature ideas and documented for future iterations but may not be fully implemented within the initial budget. The standalone Composer package could already be prepared as part of the first iteration, so that the TYPO3-specific extension simply integrates it.
What is the potential impact of your idea for the overall goal?
The impact of this project is straightforward yet significant: TYPO3 websites using EXT:firewall will be less vulnerable to malicious requests, as harmful traffic is filtered and stopped before it can harm the application. This makes TYPO3 more robust, especially in environments where integrators cannot install or configure advanced server-based security tools. With EXT:firewall, TYPO3 will gain an application-level firewall that can run out of the box and be tailored to specific needs through a modular architecture. The potential reach is very high: Agencies and freelancers can secure TYPO3 sites without additional infrastructure. The TYPO3 ecosystem as a whole benefits from an accessible, community-driven WAF concept, which strengthens TYPO3’s position as a secure CMS. With the Composer package approach, the project may also attract contributions from developers outside TYPO3, creating a broader security ecosystem around the package. TYPO3 would then not only benefit from this shared development but also position itself as a driver of open-source security in the PHP community.
How does your Idea align with the strategic goals for TYPO3 v14.
Security should be the foundation of all goals.
Which budget do we need for this idea?
10000 Euro
My Name
Sascha Egerer