Acquia CMS


In Cloud Platform, security is a shared responsibility between Acquia CMS and subscribers. Cloud Platform provides a secure platform where Acquia CMS subscribers can build and manage world-class, highly-secure Drupal applications. Acquia manages, monitors, and secures the environment where Acquia CMS subscriber applications run, including the operating system and LAMP (Linux, Apache, MySQL, PHP) stack and network layers of Cloud Platform. Acquia provides tools, support, and resources enabling subscribers to keep secure Drupal applications.

The following modules are used for enhanced security:

Security Kit

This module provides Acquia CMS with various security-hardening options. This module mitigates the risks of exploitation of different web application vulnerabilities. Acquia ships the following configuration with this module in Acquia CMS:

X-XSS-Protection header - X-XSS-Protection HTTP response header controls Microsoft Internet Explorer, Google Chrome
and Apple Safari internal XSS filters. It is disabled by default
X-Frame-Options header - SAMEORIGIN
SSL/TLS [Max-Age] - 1000 seconds
Expect-CT - Configure the Expect-CT header which allows sites to opt in to reporting and/or enforcement of
Certificate Transparency requirements. Max-age for Expect-CT is 86400.

Automated Logout

This module helps site administrators to log users out after a specified time of inactivity. It is highly customizable and includes “site policies” by role to enforce logout. By default, Acquia CMS sets the minimum value of inactivity to 1800 seconds and logs users out after that threshold.


This module mitigates spam form submissions by using the honeypot method. It prevents any bots from automatically submitting any forms. By default, this module is disabled in Acquia CMS. After you enable this module, it gets added to all the Acquia CMS forms. To use this setting in your custom form, use the following code:

\Drupal::service('honeypot')->addFormProtection($form, $form_state, ['honeypot', 'time_restriction']);


Acquia CMS ships shield or PHP Authentication shield, which creates a general shield for the site. It creates a simple shield for the site with Apache authentication. It hides sites if the user does not know the username and password. When the user hits the url of the site, it displays a form to enter the username and password. To change the settings of the shield, click Admin > Config > System > Shield. By default, this module is disabled.


Acquia CMS ships the Captcha module, which provides the CAPTCHA API for adding challenges to arbitrary forms. You can enable this module and add it to any form such as user registration form and user login form.


This module protects Acquia CMS from spam and abuse, while letting authenticated users pass through with ease. It uses the Google reCAPTCHA web service to improve the CAPTCHA system. It is tough on bots and easy on humans. You can add this to any forms such as registration form and login form. By default, this module is disabled.

Username Enumeration Prevention

This module is enabled with Acquia CMS. It removes the error message produced by the forgotten password form for an invalid user. It provides the following features:

  • %name is blocked or has not been activated yet

  • %name is not recognized as a username or an email address

  • Converts 403 Access Denied responses to 404 Not Found on user profiles

  • Provides warnings on the admin status report if the site in configuration could expose usernames

Password Policies

Acquia CMS uses a password policy module to enforce restrictions on user passwords by defining password policies. Acquia CMS ships the following password security modules along with password policy module:



Password Character Length Policy

Sets up a character length constraint for passwords.

Password Character Types Policy

Sets up the minimum number of different character types the password must contain.

Password Username Policy

Restricts users from having their username in their password.

Password Policy History

Sets up a password constraint to limit repeated use of the same password.

For example, an uppercase constraint with a parameter of 2 and a digit constraint with a parameter of 4 means that a user password must have at least 2 uppercase letters and at least 4 digits for it to be accepted.