Drupal CMS Security Recommendations

Use Drupal's built in Form API, Forms module and Search module for handling all user-submitted text. These modules include protections against XSS, CSRF, HTML Injection and other common web security weaknesses.
When using the Form and Search modules, write custom validation for all non-standard input types (text that isn't an address, phone number, etc).
If not using built in modules for handling user text, use Drupal's text formatting verification (ie, check_text) functions to filter potentially dangerous user input. Whitelist user input against a table of valid options, or a regular expression, whenever possible.
Use Drupal's built in database API (db_query, etc) to access the database. Use parameterized queries only; do not construct SQL statements from raw user input.
Do not allow user input to execute PHP or SQL. Never let user input impact the use of eval, system, file, or exec functions. Try to avoid these functions if possible.
Do not rely on JavaScript for validation. Do not rely on AJAX calls to be invisible to the user or immune from tampering; data returned by AJAX calls must be treated with the same level of caution as user input.

Avoid allowing users to upload arbitrary files, in type, size, and volume. Limit file uploads to text, common work-related formats, and images.
Ensure access restrictions are in place to prevent users from viewing or editing arbitrary files.
HTTPS is required for login; use it whenever possible elsewhere.
- Note that all content created or owned by a user reverts to "anonymous" ownership upon user deletion - meaning anyone can read (and perhaps edit) that content. Block users instead of deleting them, when possible.
Disable remote login of the root user (user #1), or disable it entirely once administrator access is granted elsewhere.
Drupal frequently reports major security vulnerabilities. Keep your Drupal installation fully patched and a known-safe backup available at all times.
Never enable Full HTML comments.
Disable anonymous account creation and content posting.
Restrict error reporting. Do not show users notice, warning, or errors directly; instead redirect to a generic Error page (which preferably emails an administrator upon load).
Consider what data in the site is private, sensitive, protected or regulated. Avoid collecting it, anonymize it, or encrypt it as necessary.
Drupal secure code and configuration review is available upon request. AppScan automated scans may also help identify potential security concerns. Please consult Information Security for a manual or automated review, preferably during development and test, well ahead of go-live.

Browser not supported