Blog

The InterNetX Blog provides you with news and background information on innovations concerning domains, servers, SSL and other industry-related topics.

Switching TYPO3 to HTTPS

Implementing SSL in the content management system (CMS) TYPO3 smoothly and securely.


The implementation of SSL certificates requires a number of manual steps to be carried out and is slightly different in each CMS. In this article, we provide a step-by-step explanation of how to implement the changeover in TYPO3 without problems.
TYPO3 is one of the most widely-used content management systems in Europe. It is also the most secure open-source CMS. In order to provide even more protection against hacking attacks and to conform to the European regulations on data protection (GDPR), the connection of pages should also be secured using HTTPS.

Connections encrypted via HTTPS provide additional advantages:

  • Secure transactions: personal details are encrypted for transmission

  • Protection of customer data

  • PCI compliance: data is protected against theft

  • The browser bar displays as trusted

With the right approach, changing the system to HTTPS can be done quickly. Naturally, the foundation is laid with the acquisition of the most suitable SSL certificate, which can be purchased from your hoster. Should you wish to purchase an SSL certificate from a provider that is not hosting your domains, the IP (A-Record) must be changed. You can get more information about SSL certificates and the different security levels here.

If multiple domains point to the main domain, be sure to set up 301 redirects to the respective HTTPS domain, otherwise duplicate content is created.

Before we get to the real nitty-gritty in the TYPO3 backend, the SSL certificate must first be implemented to the domain.

To begin with, the necessary changes must be made on the frontend in TYPO3:

Change the TypoScript templates

The first step is to change the HTTP records in the TypoScript templates from HTTP to HTTPS. So that all URLs are changed to the HTTPS domain in the frontend, the baseURL or absRefPrefixe must be changed.

Depending on the TYPO3 version, the code could look like this:

This is the case, for example, for JavaScript or external resource templates (custom fonts, jQuery) as well as baseURL records. The relevant sections can easily be found and replaced in the source code e.g. with the link tag or an SRC JavaScript tag.

From TYPO3 version 9 onwards, the transition is carried out via the Site Manager, where you need to check whether the main domain is configured with “https” at Entry Point.

Subsequently, newly created subpages should automatically be redirected to the encrypted standard.

Ensure all domains point to HTTPS

In this step, you should delete the browser cache and reload the website in order to check that HTTPS is showing. The transition was successful if HTTPS is automatically displayed, even without explicitly typing it.

The .htaccess file in the root index must also be configured by adding the following code:

RewriteCond %{Server_Port} !^443$
RewriteCond %{HTTP_HOST} ^www\.Beispiel\.de$ [NC]
RewriteRule ^(.*)$ https://www.Beispiel.de/$1 [R=301,L]

Or the change to HTTPS must be enforced with:

RewriteEnginge On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] 

Change in TYPO3 backend

After this, the transition to SSL must be enforced in the TYPO3 backend. This step is often forgotten. However, it is required for a complete and orderly transition. In order to change the backend as well, the Install Tool under Settings  (www.xyz.com/typo3/install) must be opened. The change can then be carried out with All Configuration -> TYPO3_CONF_VARS -> [BE][lockSSL] = 2. We recommend checking the site again to make sure that the change is implemented.

If the transition was successful,  a little green padlock should now appear in the browser bar. If it is not and a yellow warning triangle is shown instead, this is likely due to resources that have not yet been encrypted. Check your source code again carefully and search for „http“. Changes to tracking software or fonts embedded via Google in external CSS files are easily forgotten.

You can use this checklist to make sure you have everything covered for the transition: