Drupal security recommendations
- Tina Riedel (Deactivated)
Owned by Tina Riedel (Deactivated)
Drupal CMS Security Recommendations
Developing custom modules securely:
- Use Drupal's built in Form API, Forms module and Search module for handling all user-submitted text. These modules include protections against XSS, CSRF, HTML Injection and other common web security weaknesses.
- When using the Form and Search modules, write custom validation for all non-standard input types (text that isn't an address, phone number, etc).
- If not using built in modules for handling user text, use Drupal's text formatting verification (ie, check_text) functions to filter potentially dangerous user input. Whitelist user input against a table of valid options, or a regular expression, whenever possible.
- Use Drupal's built in database API (db_query, etc) to access the database. Use parameterized queries only; do not construct SQL statements from raw user input.
- Do not allow user input to execute PHP or SQL. Never let user input impact the use of eval, system, file, or exec functions. Try to avoid these functions if possible.
- Do not rely on JavaScript for validation. Do not rely on AJAX calls to be invisible to the user or immune from tampering; data returned by AJAX calls must be treated with the same level of caution as user input.
Securing Drupal configuration:
- Avoid allowing users to upload arbitrary files, in type, size, and volume. Limit file uploads to text, common work-related formats, and images.
- Ensure access restrictions are in place to prevent users from viewing or editing arbitrary files.
- HTTPS is required for login; use it whenever possible elsewhere.
- Note that all content created or owned by a user reverts to "anonymous" ownership upon user deletion - meaning anyone can read (and perhaps edit) that content. Block users instead of deleting them, when possible.
- Disable remote login of the root user (user #1), or disable it entirely once administrator access is granted elsewhere.
- Drupal frequently reports major security vulnerabilities. Keep your Drupal installation fully patched and a known-safe backup available at all times.
- Never enable Full HTML comments.
- Disable anonymous account creation and content posting.
- Restrict error reporting. Do not show users notice, warning, or errors directly; instead redirect to a generic Error page (which preferably emails an administrator upon load).
- Consider what data in the site is private, sensitive, protected or regulated. Avoid collecting it, anonymize it, or encrypt it as necessary.
- Drupal secure code and configuration review is available upon request. AppScan automated scans may also help identify potential security concerns. Please consult Information Security for a manual or automated review, preferably during development and test, well ahead of go-live.
Additional guidance and detail:
- http://drupal.org/security - recently reported Drupal vulnerabilities.
- http://drupalsecurityreport.org/ - white paper on Drupal security.
Information on the Tufts IT Knowledgebase is intended for IT Professionals at Tufts.
If you have a question about a Tufts IT service or computer/account support, please contact your IT support group.