Discussion security best practices in general. This is NOT a place to discuss vulnerabilities in released versions of specific public modules nor Drupal core. Please only ask questions before releasing a module or phrase them generally. If you find a security vulnerability in publicly available code the proper thing to do is report it to the Security Team.

On twitter see @drupalsecurity.

Shai's picture

Name of this Group

I think there is sort of a usability issue with the name of this group:

"Best Practices in Drupal Security."

I couldn't find this group in my list of groups in the right sidebar, even though I'm only a member of about 10 groups. I used my browser to search on "Security" to find it.

I've read that people scan the left side of lists.

How about renaming this group, "Security Best Practices." I think we could dump the "Drupal" part to make the name shorter. I think it is understood that at the issues relate to Drupal.

What do you think?


Read more
Shai's picture

Spam Emails IP Address Listed as the Site's IP Address in Watchdog

Hi Folks,

On a client site, spam comments are being posted. In Watchdog, the IP address of the spammer is: the site's dedicated IP address. How is that possible?

Also note that there is a ReCaptcha challenge on all the comment forms.

Can anyone explain how this could happen?


Shai Gluskin

Read more
Jitesh Doshi's picture

allowing new password input on password reset landing page

Normally, in Drupal, when a user clicks on a password reset link that they requested from a Drupal site, they are taken to a landing page that has nothing but a "Log In" button that logs them in. The system then expects the user to update their password on their own.

But for infrequent or non-technical users, that last step often never happens. They fail to set their password, and then ask to reset password again the next time they need to access the site.


Read more
bobbyaldol's picture

Encrypt RSS feeds

The discussion here consists of a great idea to encrypt RSS feeds of private posts. But the discussion there has been dead and not updated for quite some time.
This says that "
Overview: With Encrypted RSS/Atom feeds, buddylist-like features become possible cross-site. The project would be to develop a module which generates and consumes syndicated feeds, where reading them in only possible behind a login.

Read more
tvn's picture

Security review for Project browser server

Hi Drupal security people,

for over a year community member wildkatana has been working on Project browser - a module which will let users search for and install modules and themes from within their Drupal website. The goal is to have this functionality in Drupal 8 core and as a contributed module for Drupal 7. For this functionality to work another module - Project browser server - needs to be deployed on The main blocker for this deployment now is missing security review.

Here is an issue:

Read more
coltrane's picture

Common code mistakes that open vulnerabilities


As part of an effort to expand Drupal-specific static code analysis tests for vulnerabilities underway in Coder 7.x-2.x ( I am curious of common errors made by developers that open up exploits. What problems are easy to make (and discover) that we can 1) write automated checks for and 2) get those corrected for newer major versions of Drupal core.

Read more
greggles's picture

Holidays to avoid doing Security Advisories around

We've currently got a policy about which holidays are important enough to Drupal's userbase that we don't do an advisory on a Wednesday near those days, but this policy didn't get a ton of discussion before being agreed to.

The dates are:

  • Drupalcons
  • Thanksgiving in the USA (fourth Thursday in November).
  • December (Christmas/Hanukkah)
  • The end/beginning of the Gregorian year in general (i.e. around new year's)
Read more
Berdir's picture

Handling permissions for comments that support all entity types

Right now, comments are specific to nodes and respect node permissions on overview pages, recent comments block and so on, so that you can't see comments if you can't see the node. is making comments entity-type agnostic, so that you can attach comments to any fieldable entity.

Read more
greggles's picture

Reminder: Check the Security improvements tag

Hello security minded folks!

There is a tag in use in the issue queue called "Security improvements" this is often used for areas where there is some sort of a bug or feature that isn't quite worth handling in private by the security team, but where action is needed to harden Drupal's security.

Read more
Vikas Sharma's picture

Site Hacked


My 2 sites are hacked. both in almost same way. my .htaccess is rewritten. and some fishy code is written in corn.php, install.php, update.php,authorize.php. Also a file wp-config.php,

All JS file in the all/modules were also written document.write(<iframe src=....)

does nay one has any clue.


Read more
RedUhl's picture

Recommendation for Drupal 7 Books that cover security?

I looked at the two books suggested but they are for Drupal 6. Is there a good book that handles security for Drupal 7?

Read more
christefano's picture

Drupal Development Best Practices Training in Downtown Los Angeles on November 16, 2012

2012-11-16 10:00 - 17:00 America/Los_Angeles
Event type: 
Training (free or commercial)

Join us on November 16, 2012 in Downtown Los Angeles for Drupal Development Best Practices, a full day of Drupal training! This training is being produced by Exaltation of Larks, a Drupal strategy, development, consulting and training firm with a team of experts in Los Angeles.

    Sign up today at  

Exaltation of Larks - Expert Drupal strategy, consulting, development and training This one-day workshop gives you a comprehensive tutorial on the right way to manage your Drupal website. You'll learn about version control for your code and ways to manage changes in your data. You’ll also see how the Features module can enable you to keep your configuration changes in version control.

We'll cover industry-approved deployment strategies that let you move smoothly through development, testing and live environments. You’ll get a high-level overview of how to modify the way your site looks by sub-theming, preventing hours of frustration should your original theme be updated.

What you will learn:

  • Using version control with Drupal
  • Maintaining development, testing and production environments
  • Managing configuration changes using the Features module
  • Creating a basic sub-theme
  • Creating a basic module
  • Understanding Drupal’s API and the hook system
Read more
cubeinspire's picture

Enabling the overlay module for anonymous: Security risks


I'm reviewing a sandbox project for Drupal7 called Overlay Links that encourage to enable the overlay module for anonymous users.
review comment:

I've read on some blog that doing this have security concerns, but there was no more details about that.
blog link:

Do you have any details about the security implications of enabling the permission Access the administrative overlay to anonymous users ?

Read more

Encrypting and decrypting content in Drupal

There are at least two modules to do encryption in Drupal. This page compares those modules to help people choose a good one.

Last updated: 6 November, 2017

  • Encrypt
    • Includes multiple encryption methods from simple to complex depending on libraries available on the server
    • Focused on being a simple API that doesn't do much on its own
    • Uses CTools plugins for encryption methods and key providers
    • Contains unit tests for all the features
Read more
axel.rutz's picture

Let's implement the sanitization bazooka: Autosanitization


Wrong sanitization of user supplied strings, resulting in CSRF security issues, accounts for the vast majority of security announcements. Autosanitization (exactly: proper context stack aware autosanitization) would be the bazooka to end this once and for all. It is in reach und would be a unique feature among notable open source frameworks. The implementation requirements are described. Research is needed as of the D8 core requirements necessary to implement this in contrib land.

Anatomy of a sanitization issue

Consider a node title that is rendered like this:

Read more
greggles's picture

Security team documentation now public - please help edit!

For a long time the security team documentation has grown in fits and starts inside of with a somewhat challenging organization. About 9 months ago I started a process to archive unnecessary/outdated items, consolidate the good stuff, and organize it into a single google document for editing to allow people outside the team to help. Since then, several people helped out and in the last week (starting at Drupalcon Munich) Ben Jeavons and I moved it all to public book pages on You can now find the previously private content inside:

Read more

Planning for Security implications of using external libraries

At Drupalcon Munich there was some discussion about introducing Symfony into Drupal and what that will mean for our security processes. Let's document our ideal scenarios for what we want an external library's maintainers to do before we incorporate it into Drupal. This should provide a framework for discussion with Symfony, but also potentially other libraries (e.g. Guzzle).

  • The project should have a simple, well documented way to report bugs
Read more
greggles's picture

Drupal Security Sprint (s.d.o, security issues)

2012-08-24 09:00 - 17:00 Europe/Berlin
Event type: 
  • Interested in joining the Drupal Security Team?
  • Want help to fix a vulnerability in a module you maintain?
  • Want to learn about the team's process by helping us edit our own documentation and publishing it on
  • Want to work on core security improvements with like-minded individuals

Come work with some of Drupal's Security Team members at Drupalcon Munich.

Having some skills in writing secure code are helpful for some of the tasks, but not all.

Read more
joyseeker's picture

Blogs and security

Hopefully, this is the best place to post this -- if not, I'd love some direction where to find answers.

I have a D6 site with blogs, and my database is being attacked. There's spam comments in the database, but since I have comments turned off for now, they do not display. I even have the site set up to approve registration, but I see from the Drupal logs that people are becoming active without my intervention.

On StatCounter, I see 2 types of URLs that may have clues -- can you tell me what type of attack it is? And maybe how to prevent it?

Read more
wrfeldmann's picture

Mirror - Possible?

I have a situation where a few of our drupal installations are not allowed to access the internet. They can be accessed from the internet. Because of this, the Reports page always shows that Drupal core update status, HTTP request status, Module and theme update status Fail to get available update data or just plain fail.

Read more
Subscribe with RSS Syndicate content