TYPO3 security audit

Last modified: 2022-03-22

Warning and hacker risks for website operators

With the strict requirements of the General Data Protection Regulation (GDPR) and the associated potential warnings from consumer protection and data protection authorities, financial and legal risks are growing in organisations.

An important part of the GDPR - and unfortunately the main cause of potential trouble - is the consent requirement for sharing personal data of website visitors. It covers much more than just tracking cookies from googleAnalytics. According to the GDPR, the IP address of the website visitor is part of the personal data. However, this address is mandatory in order to communicate with another system. Specifically, this means:

Any access within a website to a server other than the web server requires consent.

Apart from the notorious tracking tools, this concerns e.g.:

the integration of fonts from external servers
the integration of external maps (e.g. GoogleMaps)
embedding external videos (even without cookies!)
embedding social media contributions (not to be confused with mere linking)
Embedding of external content via an iframe (weather, real estate offers, etc.)
Lead tracking with Google Ads
the use of Content Delivery Networks (CDNs) to accelerate websites
the integration of external CAPTCHA functions as SPAM protection
the use of external JavaScript and CSS resources (also for performance reasons)
etc.

Particularly piquant: According to this definition, the use of an external cookie banner tool also requires prior consent, which seems to be the "cat bites the tail".

Note on masking IP addresses

The much-cited masking of IP addresses (e.g. by "fixing" the last two numbers in log files: 88.57.x.x) is, strictly speaking, a "fake protection". The target server must know the complete address. Masking or complete deletion only serves to protect against misuse by unauthorised persons later on. In any case, it is not enough for the operator of an external service to assure that the IP addresses are masked.

The safety audit for risk minimisation

For most website operators, it is very difficult to find out whether their website and the associated processes are data protection compliant.

We therefore recommend having regular audits carried out. Regularly because even careless editorial changes can result in violations of the rules. The direct embedding of a YouTube video is an example of this.

With our offer "Security Audit for TYPO3 Websites", we would like to help you not only to comply with the legal regulations, but also to ensure that possible security gaps are closed as quickly as possible.

Our service

Costs*

TYPO3 Security Audit

backend audit (versions, TYPO3 settings, potential security risks, data minimization, etc.)
frontend testing (correct cookie usage, use of external resources, jQuery versions, usability specifications, etc.)
preparation of audit document
final consultation

Effort: approx. 12 Hrs.

Non-profit organisations:
with SLA: 12 * 79,00 € = 948,00 €
without SLA: 12 * 89,00 € = 1.068,00 €

Company:
with SLA: 12 * 89,00 € = 1.068,00 €
without SLA: 12 * 99,00 € = 1.188,00 €

* all prices are exclusive of VAT.

TYPO3 Security Audit

Costs*

Effort: approx. 12 Hrs.

Non-profit organisations:
with SLA: 12 * 89,00 € = 1.068,00 €
without SLA: 12 * 89,00 € = 1.068,00 €

Company:
with SLA: 12 * 99,00 € = 1.188,00 €
without SLA: 12 * 99,00 € = 1.188,00 €

* all prices are exclusive of VAT.

backend audit (versions, TYPO3 settings, potential security risks, data minimization, etc.)
frontend testing (correct cookie usage, use of external resources, jQuery versions, usability specifications, etc.)
preparation of audit document
final consultation

TYPO3 security audit

Warning and hacker risks for website operators

The safety audit for risk minimisation

More information on this topic

WACON Internet GmbH

5.0

Provider:	TYPO3
Cookiename:	fe_typo_user, PHPSESSID
Runtime:	1

Provider:	Youtube.com
Cookiename:	CONSENT
Runtime:	30
Privacy source url:	https://policies.google.com/privacy
Host:	Google.com