Security on Drupal

June 18, 2021

Share

Table of contents

Quick Access

![Seguridad en Drupal](https://cms.rootstack.com/sites/default/files/blog/img/security.png) We are often asked if Drupal has the proper security features compared to other content management platforms. Drupal actually has a very good track record in terms of security, and has very organized processes to investigate, verify and publish potential security issues, which an entire organization and his ever-active community handles: [(Drupal.org)](http://www.drupal.org). There are companies that have chosen this CMS only based on their terms of security, such as: - CNN - Zynga - PayPal - Twitter Regarding the community, Drupal has a strict application of the requirements to obtain a contributed module and publish it on Drupal.org. New employees go through a well documented process to become trusted partners. The Drupal security team is also constantly working with key contributors to address the identified security problems. That security team together with the community and colleagues, work in constant scrutiny to ensure code quality. Another question is how Drupal deals with common security threats. Topics such as SQL injection, XSS, CSRF, session hijacking, and other known threats are eliminated with Drupal. Drupal core is carefully designed and based on security to prevent such flaws. How Drupal faces security risks? --------------- Drupal is based on a comprehensive set of APIs that, when used correctly, mitigate common security risks. This section is about how Drupal deals with security risks. **• Injection** Drupal has a robust database object-oriented APIs, which makes it difficult for developers to create disinfection injection holes automatically based on query parameters and implementation of an interface. The interaction of the layers of Drupal, where some extensions can be modified and therefore the server can run with errors, may be limited. **• Authentication and Session Management** User accounts and authentication are managed by the Drupal core. Authentication cookies and the name of a user ID and password are managed on the server to prevent scalable authorizations. Users and passwords are cleared and are hashed, using a hashing based on Portable PHP password hashing algorithm and existing sessions are destroyed after login and logout. **• Cross Site Scripting – XSS** Drupal has a strong filtering system for user-generated content on the screen. User content that is not trusted, is filtered to remove dangerous elements by default. For developers, Drupal has at least eight API functions for filtering output and prevent XSS. When errors are common within development, leading to XSS vulnerabilities, these are identified and mitigated by building safer default values **• Insecure Direct Object reference** Drupal provides references often direct objects, such as unique user accounts or fields available in the form or content URL numeric identifiers. While these identifiers directly disclose system information, Drupal permissions and the access control system, prevents applications which are unauthorized. Methods for obfuscation are available through the configuration and the community contributed code. In addition, validation and protection against counterfeiting semantic attacks is implemented in the core Drupal through the API form. **• Security Misconfiguration** Access to site management controls, text formats and private information risks are restricted to a single default administrator account. Documentation of best practices for secure configuration and site creation are provided by [(Drupal.org)](http://www.drupal.org) and there are several projects that perform automated security review or implement more secure configurations. **• Missing Function Level Access Control** Access to function in Drupal level is protected by a powerful permission-based system that checks for proper authorization before action is taken. In the case of URL access, the access check is integrated throughout the menu system of representation and routing, which means that the visibility of navigation and pages are protected by the same system that handles incoming requests. **• Cross Site Request Forgery - CSRF** Drupal validates the user's intent into action, using standard industry techniques. With side-effects typical actions (such as actions that eliminate database objects) are generally carried out with the HTTP POST method. The Drupal's unique FORM API implemented to protect against CSRF tokens into POST requests. By focusing on government sites, Drupal is always the focus of attention because 24% of all .gov sites in the United States were made on this platform. Drupal has more than 150 sites for the federal government, including: - The Whitehouse / [Whitehouse.gov](http:www.whitehouse.gov) - House of Representatives / [House.gov](http://www.house.gov/) - NASA / [NASA.gov](https://www.nasa.gov/) - The Education Department / [Ed.gov](http://www.ed.gov/) - The Energy Department / [Energy.gov](http://energy.gov/) - The Commerce Department / [Commerce.gov](https://www.commerce.gov/) - The Health Department / [Hhs.gov](http://www.hhs.gov/) - Department of Defense / [Defense.gov](http://www.defense.gov/) - Department of Transportation / [Transportation.gov](https://www.transportation.gov/) - The National Security Agency / [Nsa.gov](https://www.nsa.gov/) - Among others. Open source platforms like Drupal not often regarded as safe solutions, but we have come a long way in overcoming this myth taking into account the companies and government agencies that rely on it every day.