Security

Security Kit¶

This module provides Drupal Starter Kits with various security-hardening options. This module mitigates the risks of exploitation of different web application vulnerabilities. Acquia ships the following configuration with this module in Drupal Starter Kits:

X-XSS-Protection header - X-XSS-Protection HTTP response header controls Microsoft Internet Explorer, Google Chrome
and Apple Safari internal XSS filters. It is disabled by default
X-Frame-Options header - SAMEORIGIN
SSL/TLS [Max-Age] - 1000 seconds
Expect-CT - Configure the Expect-CT header which allows sites to opt in to reporting and/or enforcement of
Certificate Transparency requirements. Max-age for Expect-CT is 86400.

Automated Logout¶

This module helps site administrators to log users out after a specified time of inactivity. It is highly customizable and includes “site policies” by role to enforce logout. By default, Drupal Starter Kits sets the minimum value of inactivity to 1800 seconds and logs users out after that threshold.

Honeypot¶

This module mitigates spam form submissions by using the honeypot method. It prevents any bots from automatically submitting any forms. By default, this module is disabled in Drupal Starter Kits. After you enable this module, it gets added to all the Drupal Starter Kits forms. To use this setting in your custom form, use the following code:

\Drupal::service('honeypot')->addFormProtection($form, $form_state, ['honeypot', 'time_restriction']);

Shield¶

Drupal Starter Kits ships shield or PHP Authentication shield, which creates a general shield for the site. It creates a simple shield for the site with Apache authentication. It hides sites if the user does not know the username and password. When the user hits the url of the site, it displays a form to enter the username and password. To change the settings of the shield, click Admin > Config > System > Shield. By default, this module is disabled.

Captcha¶

Drupal Starter Kits ships the Captcha module, which provides the CAPTCHA API for adding challenges to arbitrary forms. You can enable this module and add it to any form such as user registration form and user login form.

reCAPTCHA¶

This module protects Drupal Starter Kits from spam and abuse, while letting authenticated users pass through with ease. It uses the Google reCAPTCHA web service to improve the CAPTCHA system. It is tough on bots and easy on humans. You can add this to any forms such as registration form and login form. By default, this module is disabled.

Username Enumeration Prevention¶

This module is enabled with Drupal Starter Kits. It removes the error message produced by the forgotten password form for an invalid user. It provides the following features:

• %name is blocked or has not been activated yet
• %name is not recognized as a username or an email address
• Converts 403 Access Denied responses to 404 Not Found on user profiles
• Provides warnings on the admin status report if the site in configuration could expose usernames

Password Policies¶

Drupal Starter Kits uses a password policy module to enforce restrictions on user passwords by defining password policies. Drupal Starter Kits ships the following password security modules along with password policy module:

For example, an uppercase constraint with a parameter of 2 and a digit constraint with a parameter of 4 means that a user password must have at least 2 uppercase letters and at least 4 digits for it to be accepted.