Discussion security best practices in general. This is NOT a place to discuss vulnerabilities in released versions of specific public modules nor Drupal core. Please only ask questions before releasing a module or phrase them generally. If you find a security vulnerability in publicly available code the proper thing to do is report it to the Security Team.

On twitter see @drupalsecurity.

DarrellDuane's picture

Flat files on front end server security issue

I am working on installing a Drupal site that allows users to store and display files (.doc, .pdf, .xls, etc) files at a high end secure data center with DMZs and the like. The customer's data center doesn't allow them to have web applications that store flat files on the front end web server machine.

Read more

Comodo Certificate Installation: Apache & mod_ssl |

Installing your Certificate on Apache with mod_ssl
1. Extract all of the contents of the ZIP file that was sent to you and copy/move them to your server. The extracted contents will typically be named: yourDomainName.crt and

Note: If you received several .crt files in your ZIP file please use this article to make
2. Move all of the certificate related files to their appropriate directories.

A typical setup:

Read more
greggles's picture

New French laws on security/privacy - Personally Identifiable Information

Crossposted to security group and France group, my apologies for not being able to write this in French. Comments are welcome in French or English, of course.

There are some new French laws on user information and how it is handled which seem to have implications for security.

Hacker News has a thread about this that talks about the actual requirements which seem to be compatible with the way Drupal core works.

Read more
onslow77's picture

Drupal 6 file permissions on shared host


I have installed the module "security review" and it notify me that I have the wrong file permissions.
I have not done any configuration to the file permissions since I recently installed drupal.

My settings
Folder 755 (except for sites/default folder that has 555)
Files 644 (except for settings.php that has 444)

The security review module tells me that everything under sites, modules and themes have the wrong file permissions. (basically the whole drupal installation)

Read more
LittleLion's picture

Secure Drupal and Drupal 7

I am implementing a site that will contain some information that should be secure. I looked up various posts and modules about security and it seems that by default all passwords are sent in clear text across the Internet in D6.

I found little to no information on securing D7 logins or pages.

Is there a simple solution to force the site into https?

Thanks for any advice,


Read more
acstyxx's picture

Drupal Sites with PHI

I am trying to build a new Patient Portal site for exposing Personal Health Record information to meet Meaningful Use measures of timely access for out EHR. I am planning to expose that PHI through a web service from our EHR and build a custom module in Drupal to make that data accessible through the portal.

I am looking for examples of sites in production or development that expose Protected Health Information through Drupal.

Read more
greggles's picture

Security updates and profiles/distributions (especially those hosted outside of d.o)

What tools or processes should we follow for profiles that are hosted off when they need to be updated for security reasons.

Currently, all of the modules they use that are hosted on will get proper security updates but this could be confusing to the end user (if the profile itself hasn't been upgraded to that module).

What about modules that are hosted elsewhere?

What if the download file is only available from other sites and not packaged on

Read more
greggles's picture

Security session, training, BOF at Drupalcon Chicago

First, if you haven't already you should sign up for Drupalcon Chicago.

This year we've got a relatively small number of sessions at Drupalcon Chicago about security.

  • Drupal Security for Coders - this is a presentation on the most common attack scenarios and how to code/configure to protect against them
Read more
proindustries's picture

Securely managing a large number of drupal sites

Hey guys - So, keeping track of what updates are needed on a Drupal site isn't too bad, but what about if you're running 50 sites? I've looked around a few times over the last few months, but I've never found any good discussion on this topic.

I'm building out a new secure Drupal hosting service, and while I'll be able to manage this for the first few months by hand, presuming things go well, it will quickly become more work than I'd like to do, just keeping inventory of the sites, figuring which sites have security patches, etc.

Read more
Charles Belov's picture

Redundant database security

This is a cross-post and slight edit of a portion of a post I made in the Usability group concerning my reactions as a Drupal pre-install newbie over the course of the recent Bay Area Drupal camp (BADCamp). This does not concern any specific Drupal vulnerability as I don't know of any vulnerability or even if what follows is accurate. It is just a result of seeing various published Drupal security reports and putting that together which what I saw at BADCamp plus some thoughts of my own. I have not looked at Drupal source code.

Read more
greggles's picture

Allowing Apache to write files

There was recently a presentation about whether or not it's safe to let the webserver write to your document root:

This is something I've heard our community go back and forth about. I'd like us to come to a more solid position on the topic.

He also cites granting more mysql permissions than necessary as a mistake (one we avoid, though we could be a bit more we need the permission to drop tables, for example?).

Read more
mfb's picture

Secure Login module not dead yet

Secure Login module was in need of a maintainer, so I decided to take it on.

What I like about Secure Login is that it's a small, simple module that makes it easy to enforce secure (SSL) logins on a Drupal site.

I've already committed a Drupal 7 version which could use testing and feedback.

Read more
mgifford's picture

Best Practices for Module/Theme level Security Reviews

Are there any best practices or approaches to reviewing individual modules or themes?

I do feel that modules posted to are more secure than those posted elsewhere, simply because the framework allows for an easy way for us to receive updates when there are security issues. However, other than people posting security patches, what processes are being used to scan contributed code for problems?

There are a number of approaches for general PHP development which would certainly apply:

Read more
themselves's picture

Highly-secure Drupal installation

Hi everyone,

What we've been doing around here is trying to put together an implementation framework that would deliver the most secure Drupal possible. Our idea so far is this:

First layer is a Varnish cache - it is the only publically exposed port of the entire infrastructure.

Second layer is a Drupal install with a read-only mysql user (other than the session, watchdog and cache tables of course), so that even if someone elevates permissions in Drupal, they are unable to write anything to the database.

Read more
jmiccolis's picture

Vuln module, a XSS feature

I created a quick XSS module that last week that I've been using for testing and it was suggested that I post here in case others found it useful. The module is here;

The module is simply a bunch of exported (a la Features module) configuration that is loaded with script tags. The idea being that as you build out your site and theme you work with this module enabled occasionally and get an alert when you've slipped up. It is not an automated testing tool.

Read more
greggles's picture

Security related policies for code hosted on

We've got some licensing and third-party code rules for CVS.

The Security Team has set some policies that it enforces, but these policies impact module maintainers and, so far, we have not really informed maintainers that they should agree to the policies of the Security Team as well.

This is the big one:

We also attempt to follow a "14 days from reporting to release" and our template e-mail to module maintainers includes a date roughly 14 days in the future:

Read more
pfortuna's picture

Security Alert: Drupal Context module

A researcher has uncovered a potentially serious vulnerability in the open-source content management system used by the White House website and thousands of other sites.

The XSS, or cross-site scripting, bug resides in the Drupal Context module, a plug-in that and about 10,000 other sites use to manage how content is viewed on their sites. According to an advisory published Monday by researcher Justin Klein Keane, the flaw allows attackers to inject malicious scripts into login pages that will reset the site's administrative password.

Read more
greggles's picture

Announcing Drupal Security Report

Ben and I are happy to have just launched

After several months of working on this project the paper has reached 1.0 status.

Of course it wouldn't have been possible without the support of many sponsors and reviewers:

Read more
greggles's picture

IBM X-Force Report - Drupal and other systems

There is an IBM X-Force report about the state of security in a variety of platforms.

The researchers make some interesting claims. As always, doing this kind of thing is fraught with questionable assumptions, generalizations, and guesses that make the reports easy targets for criticism in spite of the best efforts of the authors.

One thing to note: they claim that there are unpatched vulnerabilities in a lot of the systems and give numbers for Drupal where I'm not sure what their source data is. If anyone can get in touch with the authors to ask for raw data I'd love to see it.

Read more
joachim's picture

webform registration - skipping password changing?

I've written a module that streamlines the registration process for webforms that don't allow anon users to submit.

Before I create a project for it on, I'd like people's opinions on what it does to the login process.

What the module does is this: when an anonymous user goes to the webform node, they are shown the registration form instead. When they first log in, they are taken back to the same webform node. (As far as I can tell, this is not doable with login toboggan or login_destination.)

Read more
Subscribe with RSS Syndicate content