The implementation of SSL certificates requires a number of manual steps to be carried out and is slightly different in each CMS. In this article, we provide a step-by-step explanation of how to implement the changeover in TYPO3 without problems.
TYPO3 is one of the most widely-used content management systems in Europe. It is also the most secure open-source CMS. In order to provide even more protection against hacking attacks and to conform to the European regulations on data protection (GDPR), the connection of pages should also be secured using HTTPS.
Connections encrypted via HTTPS provide additional advantages:
Secure transactions: personal details are encrypted for transmission
Protection of customer data
PCI compliance: data is protected against theft
The browser bar displays as trusted
With the right approach, changing the system to HTTPS can be done quickly. Naturally, the foundation is laid with the acquisition of the most suitable SSL certificate, which can be purchased from your hoster. Should you wish to purchase an SSL certificate from a provider that is not hosting your domains, the IP (A-Record) must be changed. You can get more information about SSL certificates and the different security levels here.
If multiple domains point to the main domain, be sure to set up 301 redirects to the respective HTTPS domain, otherwise duplicate content is created.
Before we get to the real nitty-gritty in the TYPO3 backend, the SSL certificate must first be implemented to the domain.
To begin with, the necessary changes must be made on the frontend in TYPO3:
Change the TypoScript templates
The first step is to change the HTTP records in the TypoScript templates from HTTP to HTTPS. So that all URLs are changed to the HTTPS domain in the frontend, the baseURL or absRefPrefixe must be changed.
Depending on the TYPO3 version, the code could look like this:
From TYPO3 version 9 onwards, the transition is carried out via the Site Manager, where you need to check whether the main domain is configured with “https” at Entry Point.
Subsequently, newly created subpages should automatically be redirected to the encrypted standard.
Ensure all domains point to HTTPS
In this step, you should delete the browser cache and reload the website in order to check that HTTPS is showing. The transition was successful if HTTPS is automatically displayed, even without explicitly typing it.
The .htaccess file in the root index must also be configured by adding the following code: