PHPackages                             causal/fal-protect - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Security](/categories/security)
4. /
5. causal/fal-protect

ActiveTypo3-cms-extension[Security](/categories/security)

causal/fal-protect
==================

Protect everything within /fileadmin/ based on associated folder and file restrictions (visibility, user groups and dates of publication).

1.7.2(1mo ago)1269.5k↑70.7%11[4 issues](https://github.com/xperseguers/t3ext-fal-protect/issues)GPL-2.0-or-laterPHPPHP >=7.4.1 <=7.4.99 || >=8.0.0 <=8.5.99

Since Oct 30Pushed 1mo ago2 watchersCompare

[ Source](https://github.com/xperseguers/t3ext-fal-protect)[ Packagist](https://packagist.org/packages/causal/fal-protect)[ Fund](https://www.paypal.me/xperseguers/10)[ GitHub Sponsors](https://github.com/xperseguers)[ RSS](/packages/causal-fal-protect/feed)WikiDiscussions main Synced 1mo ago

READMEChangelogDependencies (2)Versions (27)Used By (0)

FAL Protect
===========

[](#fal-protect)

This extension protects everything within `/fileadmin/` or other relative storages based on associated folder and file restrictions (visibility, user groups and dates of publication):

[![Protecting a folder and a few individual files](https://raw.githubusercontent.com/xperseguers/t3ext-fal-protect/main/Documentation/Images/overview.png "Protecting a folder and a few individual files")](https://raw.githubusercontent.com/xperseguers/t3ext-fal-protect/main/Documentation/Images/overview.png)

Unlike other similar extensions securing the File Abstraction Layer (FAL) of TYPO3, this extension aims at making it straightforward to block direct access to your sensitive assets.

No need to configure anything, just install and enable as usual, block direct access at the server level (Apache/Nginx see below) and... that's it!

Our motto? [KISS](https://en.wikipedia.org/wiki/KISS_principle)!

Installation (Apache)
---------------------

[](#installation-apache)

Edit file `.htaccess` to read:

```
RewriteCond %{REQUEST_URI} !/fileadmin/_processed_/.*$
RewriteRule ^fileadmin/.*$ %{ENV:CWD}index.php [QSA,L]

```

**BEWARE:** Be sure to add this rule before any other related rule.

Installation (Nginx)
--------------------

[](#installation-nginx)

Edit your `server` block to read:

```
location / {
    rewrite ^/fileadmin/(?!(_processed_/)) /index.php last;

    # snip
}

```

or, if that better fits your setup, like that:

```
location ~ /fileadmin/(?!(_processed_/)) {
    rewrite ^(.+)$ /index.php last;
}

```

Why 404 instead of 403 by default?
----------------------------------

[](#why-404-instead-of-403-by-default)

In case you try to access a restricted file and do not have the right to do so, the logical HTTP status code to use *should be* either a `403 Forbidden` (or possibly a `401 Unauthorized`) but by doing so, you make it clear for a malicious user that the resource exists but is not accessible.

We prefer, by default, to issue a `404 Not Found` but you can freely choose to issue a `403 Forbidden` in the extension settings. This is particularly useful if you plan to redirect to a login page when a user tries to access a restricted resource.

Complete documentation
----------------------

[](#complete-documentation)

A more complete documentation can be found on .

###  Health Score

60

—

FairBetter than 99% of packages

Maintenance82

Actively maintained with recent releases

Popularity41

Moderate usage in the ecosystem

Community20

Small or concentrated contributor base

Maturity81

Battle-tested with a long release history

 Bus Factor1

Top contributor holds 89% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~93 days

Recently: every ~106 days

Total

22

Last Release

55d ago

Major Versions

0.3.0 → 1.0.02020-11-09

PHP version history (7 changes)0.1.0PHP >= 7.2.0, <= 7.4.99

1.3.0PHP >=7.2.0 <=7.4.99 || >=8.0.0 <=8.1.99

1.4.0PHP >=7.2.0 <=7.4.99 || >=8.0.0 <=8.2.99

1.5.2PHP >=7.2.0 <=7.4.99 || >=8.0.0 <=8.3.99

1.6.2PHP >=7.2.0 <=7.4.99 || >=8.0.0 <=8.4.99

1.7.0PHP >=7.4.1 <=7.4.99 || >=8.0.0 <=8.4.99

1.7.1PHP >=7.4.1 <=7.4.99 || >=8.0.0 <=8.5.99

### Community

Maintainers

![](https://www.gravatar.com/avatar/a04cce579abca57a056f0716f909fcf37ec60e227ee92cc4b58d18ee9aad62a2?d=identicon)[xperseguers](/maintainers/xperseguers)

---

Top Contributors

[![xperseguers](https://avatars.githubusercontent.com/u/646805?v=4)](https://github.com/xperseguers "xperseguers (170 commits)")[![lochmueller](https://avatars.githubusercontent.com/u/3907126?v=4)](https://github.com/lochmueller "lochmueller (9 commits)")[![Nimmermaer](https://avatars.githubusercontent.com/u/4773406?v=4)](https://github.com/Nimmermaer "Nimmermaer (3 commits)")[![cdaecke](https://avatars.githubusercontent.com/u/2102444?v=4)](https://github.com/cdaecke "cdaecke (2 commits)")[![marble](https://avatars.githubusercontent.com/u/307057?v=4)](https://github.com/marble "marble (2 commits)")[![mschwemer](https://avatars.githubusercontent.com/u/103594?v=4)](https://github.com/mschwemer "mschwemer (1 commits)")[![nigelmann](https://avatars.githubusercontent.com/u/10863442?v=4)](https://github.com/nigelmann "nigelmann (1 commits)")[![fsaris](https://avatars.githubusercontent.com/u/4019341?v=4)](https://github.com/fsaris "fsaris (1 commits)")[![stephanlucas](https://avatars.githubusercontent.com/u/5538340?v=4)](https://github.com/stephanlucas "stephanlucas (1 commits)")[![dahaupt](https://avatars.githubusercontent.com/u/15915048?v=4)](https://github.com/dahaupt "dahaupt (1 commits)")

---

Tags

securityfilessecureTYPO3 CMSprotectionfaldirectories

### Embed Badge

![Health badge](/badges/causal-fal-protect/health.svg)

```
[![Health](https://phpackages.com/badges/causal-fal-protect/health.svg)](https://phpackages.com/packages/causal-fal-protect)
```

###  Alternatives

[phpmussel/phpmussel

PHP-based anti-virus anti-trojan anti-malware solution.

431228.1k1](/packages/phpmussel-phpmussel)[leuchtfeuer/secure-downloads

"Secure Download": Apply TYPO3 access rights to ALL file assets (PDFs, TGZs or JPGs etc. - configurable) - protect them from direct access.

22234.7k1](/packages/leuchtfeuer-secure-downloads)[irfa/php-sn-generator

"Serial number generator for web aplication"

194.9k1](/packages/irfa-php-sn-generator)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)