PHPackages                             causal/fal-protect - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Security](/categories/security)
4. /
5. causal/fal-protect

ActiveTypo3-cms-extension[Security](/categories/security)

causal/fal-protect
==================

Protect everything within /fileadmin/ based on associated folder and file restrictions (visibility, user groups and dates of publication).

1.7.3(2mo ago)1277.1k↓22.6%13[5 issues](https://github.com/xperseguers/t3ext-fal-protect/issues)[1 PRs](https://github.com/xperseguers/t3ext-fal-protect/pulls)GPL-2.0-or-laterPHPPHP &gt;=7.4.1 &lt;=7.4.99 || &gt;=8.0.0 &lt;=8.5.99

Since Oct 30Pushed 2mo ago2 watchersCompare

[ Source](https://github.com/xperseguers/t3ext-fal-protect)[ Packagist](https://packagist.org/packages/causal/fal-protect)[ Fund](https://www.paypal.me/xperseguers/10)[ GitHub Sponsors](https://github.com/xperseguers)[ RSS](/packages/causal-fal-protect/feed)WikiDiscussions main Synced 2d ago

READMEChangelogDependencies (3)Versions (28)Used By (0)

FAL Protect
===========

[](#fal-protect)

This extension protects everything within `/fileadmin/` or other relative storages based on associated folder and file restrictions (visibility, user groups and dates of publication):

[![Protecting a folder and a few individual files](https://raw.githubusercontent.com/xperseguers/t3ext-fal-protect/main/Documentation/Images/overview.png "Protecting a folder and a few individual files")](https://raw.githubusercontent.com/xperseguers/t3ext-fal-protect/main/Documentation/Images/overview.png)

Unlike other similar extensions securing the File Abstraction Layer (FAL) of TYPO3, this extension aims at making it straightforward to block direct access to your sensitive assets.

No need to configure anything, just install and enable as usual, block direct access at the server level (Apache/Nginx see below) and... that's it!

Our motto? [KISS](https://en.wikipedia.org/wiki/KISS_principle)!

Installation (Apache)
---------------------

[](#installation-apache)

Edit file `.htaccess` to read:

```
RewriteCond %{REQUEST_URI} !/fileadmin/_processed_/.*$
RewriteRule ^fileadmin/.*$ %{ENV:CWD}index.php [QSA,L]

```

**BEWARE:** Be sure to add this rule before any other related rule.

Installation (Nginx)
--------------------

[](#installation-nginx)

Edit your `server` block to read:

```
location / {
    rewrite ^/fileadmin/(?!(_processed_/)) /index.php last;

    # snip
}

```

or, if that better fits your setup, like that:

```
location ~ /fileadmin/(?!(_processed_/)) {
    rewrite ^(.+)$ /index.php last;
}

```

Why 404 instead of 403 by default?
----------------------------------

[](#why-404-instead-of-403-by-default)

In case you try to access a restricted file and do not have the right to do so, the logical HTTP status code to use *should be* either a `403 Forbidden` (or possibly a `401 Unauthorized`) but by doing so, you make it clear for a malicious user that the resource exists but is not accessible.

We prefer, by default, to issue a `404 Not Found` but you can freely choose to issue a `403 Forbidden` in the extension settings. This is particularly useful if you plan to redirect to a login page when a user tries to access a restricted resource.

Complete documentation
----------------------

[](#complete-documentation)

A more complete documentation can be found on .

###  Health Score

59

—

FairBetter than 98% of packages

Maintenance76

Regular maintenance activity

Popularity41

Moderate usage in the ecosystem

Community20

Small or concentrated contributor base

Maturity82

Battle-tested with a long release history

 Bus Factor1

Top contributor holds 89.4% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~90 days

Recently: every ~108 days

Total

23

Last Release

86d ago

Major Versions

0.3.0 → 1.0.02020-11-09

PHP version history (7 changes)0.1.0PHP &gt;= 7.2.0, &lt;= 7.4.99

1.3.0PHP &gt;=7.2.0 &lt;=7.4.99 || &gt;=8.0.0 &lt;=8.1.99

1.4.0PHP &gt;=7.2.0 &lt;=7.4.99 || &gt;=8.0.0 &lt;=8.2.99

1.5.2PHP &gt;=7.2.0 &lt;=7.4.99 || &gt;=8.0.0 &lt;=8.3.99

1.6.2PHP &gt;=7.2.0 &lt;=7.4.99 || &gt;=8.0.0 &lt;=8.4.99

1.7.0PHP &gt;=7.4.1 &lt;=7.4.99 || &gt;=8.0.0 &lt;=8.4.99

1.7.1PHP &gt;=7.4.1 &lt;=7.4.99 || &gt;=8.0.0 &lt;=8.5.99

### Community

Maintainers

![](https://avatars.githubusercontent.com/u/646805?v=4)[Xavier Perseguers](/maintainers/xperseguers)[@xperseguers](https://github.com/xperseguers)

---

Top Contributors

[![xperseguers](https://avatars.githubusercontent.com/u/646805?v=4)](https://github.com/xperseguers "xperseguers (177 commits)")[![lochmueller](https://avatars.githubusercontent.com/u/3907126?v=4)](https://github.com/lochmueller "lochmueller (9 commits)")[![Nimmermaer](https://avatars.githubusercontent.com/u/4773406?v=4)](https://github.com/Nimmermaer "Nimmermaer (3 commits)")[![cdaecke](https://avatars.githubusercontent.com/u/2102444?v=4)](https://github.com/cdaecke "cdaecke (2 commits)")[![marble](https://avatars.githubusercontent.com/u/307057?v=4)](https://github.com/marble "marble (2 commits)")[![mschwemer](https://avatars.githubusercontent.com/u/103594?v=4)](https://github.com/mschwemer "mschwemer (1 commits)")[![nigelmann](https://avatars.githubusercontent.com/u/10863442?v=4)](https://github.com/nigelmann "nigelmann (1 commits)")[![fsaris](https://avatars.githubusercontent.com/u/4019341?v=4)](https://github.com/fsaris "fsaris (1 commits)")[![stephanlucas](https://avatars.githubusercontent.com/u/5538340?v=4)](https://github.com/stephanlucas "stephanlucas (1 commits)")[![dahaupt](https://avatars.githubusercontent.com/u/15915048?v=4)](https://github.com/dahaupt "dahaupt (1 commits)")

---

Tags

securityfilessecureTYPO3 CMSprotectionfaldirectories

### Embed Badge

![Health badge](/badges/causal-fal-protect/health.svg)

```
[![Health](https://phpackages.com/badges/causal-fal-protect/health.svg)](https://phpackages.com/packages/causal-fal-protect)
```

###  Alternatives

[phpmussel/phpmussel

PHP-based anti-virus anti-trojan anti-malware solution.

429236.8k1](/packages/phpmussel-phpmussel)[in2code/in2publish_core

Content publishing extension to connect stage and production server

40143.4k](/packages/in2code-in2publish-core)[causal/image_autoresize

Simplify the way your editors may upload their images: no complex local procedure needed, let TYPO3 automatically resize down their huge images/pictures on-the-fly during upload (or using a command for batch processing) and according to your own business rules (directory/groups). This will highly reduce the footprint on your server and speed-up response time if lots of images are rendered (e.g., in a gallery). Features an EXIF/IPTC extractor to ensure metadata may be used by the FAL indexer even if not preserved upon resizing.

19491.0k](/packages/causal-image-autoresize)[leuchtfeuer/secure-downloads

"Secure Download": Apply TYPO3 access rights to ALL file assets (PDFs, TGZs or JPGs etc. - configurable) - protect them from direct access.

23255.5k1](/packages/leuchtfeuer-secure-downloads)[derhansen/form_crshield

Challenge/response spambot protection for ext:form - Challenge/response spambot protection for TYPO3 ext:form - Adds a hidden input field containing a challenge string to forms. Client must execute included JavaScript to calculate the expected response.

20241.7k10](/packages/derhansen-form-crshield)[causal/extractor

This extension detects and extracts metadata (EXIF / IPTC / XMP / ...) from potentially thousand different file types (such as MS Word/Powerpoint/Excel documents, PDF and images) and bring them automatically and natively to TYPO3 when uploading assets. Works with built-in PHP functions but takes advantage of Apache Tika and other external tools for enhanced metadata extraction.

16261.9k](/packages/causal-extractor)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
