Security recommendations for Drupal websites
When we are talking about security in Drupal it’s fair to say that Drupal by itself is very secure but there are some practices we can take to improve our site security.
The following list details some important security recommendations and best practices to consider and how we can add that to Drupal sites.
SSL Certificate.
Installing a valid SSL certificate on your website will give you better security while transferring sensitive information.
There is a free Certificate Authority provider that you can always use:
Security HTTP Headers
- HTTP Strict Transport Security: HSTS tells browsers that a page is only accessible via HTTPS.
- Referrer-Policy: A Referrer-Policy can protect the privacy of users by not transferring referrer data.
- X-Content-Type-Options: Der X-Content-Type-Options Header protects against MIME sniffing, which can lead to cross-site scripting (XSS) attacks.
- X-Frame-Options: The X-Frame-Options Header prevents a page from being loaded into an iFrame. This prevents clickjacking.
- X-XSS-Protection: The X-XSS-Protection Header ensures that a browser does not load a page where it discovered a cross-site scripting (XSS) attack.
In order to set up these headers you can use this contrib module:
https://www.drupal.org/project/seckit
Secure cookies
It’s recommended to configure this flag for cookies:
- Samesite: Allows you to declare if your cookie should be restricted to a first-party or same-site context.
- Secure: This attribute prevents cookies from being accessed by unauthorized parties or scripts. In addition, it guarantees that when the client sends the cookie, it does so through an encrypted request, using the HTTPS protocol.
- HttpOnly: Prevents client-side scripts from accessing data. It provides a gate that prevents the specialized cookie from being accessed by anything other than the server.
Some of these settings can be enabled on the settings.php file.
You can also use the contrib module: https://www.drupal.org/project/securelogin
System file permissions
One of the most important parts is to properly secure the files and directories permissions on the server.
You can find more information about it here:
https://www.drupal.org/node/244924
Basic Drupal security recommendations.
- Trusted Host Settings: This can be configured on the settings.php file. If the Host header of the HTTP request does not match the defined patterns, Drupal will respond with HTTP 400.
- Encryption key: This is highly recommended to have secure and properly working encryption on the site.
- Access to update.php: The access to the update.php must be restricted, you can configure this on the settings.php file.
- Drupal core updates: Keeping the Drupal core updated is always recommended to avoid any possible security issues.
- Drupal contrib modules updates: Try to keep contrib modules up to date to cover l any possible vulnerability.
- Drupal contrib themes update: If there are contrib themes is recommended to keep them updated as well.
Image from: https://www.drupalise.com.au/