In light of the recent COVID-19 pandemic - OPTASY would like to offer DRUPAL website support for any Healthcare, Government, Education and Non-Profit Organization(s) with critical crisis communication websites or organizations directly providing relief. Stay Safe and Stay Well.

10 Ways Drupal 8 Will Be More Secure
Drupal 8

10 Ways Drupal 8 Will Be More Secure

by Adrian Ababei on Oct 23 2015

Security is very hard to bolt on to any software or product after it has been built. Building it into the core of the code helps to avoid mistakes, and thus the upcoming release of Drupal 8 tries to build in more security by default, while still being usable for developers and site builders. This list of 10 security improvements is not exhaustive - some are just a line or two to handle an edge case, and there are others I may have overlooked. I've contributed to a number of these improvements, but they reflect overall the community consensus as well as reactions to problems that required security releases for Drupal core or contributed modules in the past. For each point I've tried to include a link or two, such as the Drupal core change record, a documentation page, or a presentation that provides more information. Some of these may also be possible to back-port to Drupal 7, to benefit you even sooner. A "7.x back-port" link indicates that. For context on why these 10 improvements are important, I looked at past security advisories (SAs) as well as considering the kind of questions we get here at Acquia from companies considering adopting Drupal. In terms of past SAs, cross-site scripting (XSS) is the most commonly found vulnerability in Drupal core and contributed modules and themes.

1. Twig templates used for html generation

This is probably first on the list of anyone you ask about Drupal 8 security. This is also one of the most popular features with themers.

 One security gain from this is that it enforces much stricter separation of business logic and presentation – this makes it easier to validate 3rd party themes or delegate pure presentation work. You can't run SQL queries or access the Drupal API from Twig. 


 

In addition, Drupal 8 enables Twig auto-escaping, which means that any string that has not specifically flagged as safe will be escaped using the PHP function htmlspecialchars() (e.g. the same as Drupal 7 check_plain()). Auto-escaping of variables will prevent many XSS vulnerabilities that are accidentally introduced in custom site themes and custom and contributed modules. That fact is why I ranked this as number one. XSS is the most frequent security vulnerability found in Drupal code. We don't have a lot of hard data, but based on past site audits we generally assume that 90% of site-specific vulnerabilities are in the custom theme.


2. Removed PHP input filter and the use of PHP as a configuration import format

OK, maybe this should have been number one. Drupal 8 does not include the PHP input format in core. In addition to encouraging best practices (managing code in a revision control system like git), this means that Drupal no longer makes it trivial to escalate an administrator login to being able to execute arbitrary PHP code or shell commands on the server. 
 For Drupal 7, importing something like a View required importing executable PHP code, and for certain custom block visibility settings, etc. you would need to enter a PHP snippet. These uses of evaluated PHP (exposing possible code execution vulnerabilities) are all gone – see the next point about configuration management.
 Now that we have covered the top two, the rest of the 10 are in rather arbitrary order.

3. Site configuration exportable, manageable as code, and versionable

The Configuration Management Initiative (CMI) transformed how Drupal 8 manages things that would have been represented in Drupal 7 as PHP code. Things like Drupal variables or ctools exportables (e.g. exported Views).

 CMI uses YAML as the export and import format and the YAML files can be managed together with your code and checked into a revision control system (like git). 
 Why is this a security enhancement? Well, in addition to removing the use of PHP code as an import format (and hence possible code execution vulnerability), tracking configuration in code makes it much easier to have an auditable history of configuration changes. This will make Drupal more appealing and suitable for enterprises that need strict controls on configuration changes in place. In addition, configuration can be fully tested in development and then exactly replicated to production at the same time as any corresponding code changes (avoiding mistakes during manual configuration).
 Finally, it is possible to completely block configuration changes in production to force deployment of changes as code.


4. User content entry and filtering improved

While the integration of a WYSIWYG editor with Drupal core is a big usability improvement, extra care was taken that to mitigate poor practices that adding a WYSIWYG editor encouraged in past Drupal versions. In particular, users with access to the editor were often granted access to the full html text format, which effectively allowed them to execute XSS attacks on any other site user.

 To encourage the best practice of only allowing the use of the filtered HTML format, the Drupal 8 WYSIWYG editor configuration is integrated with the corresponding text filter. When a button is added to the active configuration, the corresponding HTML tag is added to the allowed list for the text filter.
 Drag a new button from the available to enabled section in the editor configuration: WYSIWYG editor configuration adding underline button The corresponding HTML tag (the U tag) is added to the allowed list: U tag is allowed in the filter An additional security improvement is that the core text filtering supports limiting users to using only images local to the site which helps prevent cross-site request forgery (CSRF) and other attacks or abuses using images.

5. Hardened user session and session ID handling

There are three distinct improvements to session and session cookie handling. First, the security of session IDs has been greatly improved against exposure via database backups or SQL injection (7.x back-port ). Previously in Drupal, the session ID is stored and checked directly against the incoming session cookie from the browser. The risk from this is that the value from the database can be used to populate the cookie in the browser and thus assume the session and identity of any user who has a valid session in the database. In Drupal 8, the ID is hashed before storage, which prevents the database value from being used to assume a user's session, but the incoming value from the value is simply hashed in order to verify the value.
 Next, mixed-mode SSL session support was added to core to support sites that, for example, used contributed modules to serve the login page over SSL while other pages unencrypted. You will have to replace the session handling service if you really need this. This encourages serving your entire site over SSL (which is also a search engine ranking boost).

 The final change is that the leading “www.” is no longer stripped from the session cookie domain since that causes the session cookie to be sent to all subdomains (7.x back-port).

6. Automated CSRF token protection in route definitions

Links (GET requests) that cause some destructive action or configuration change need to be protected from CSRF, usually with a user-specific token in the query string that is checked before carrying out the action. 

This change improves the developer experience and security by automating a process frequently forgotten or done incorrectly in contributed modules. In addition, centralizing the code makes it easier to audit and provide test coverage. Drupal 8 makes it easy. A developer merely needs to specify that a route (a system path in Drupal 7 terms) require a CSRF token. Here is an example of the YAML route definition for a protected link in Drupal 8 entity. entity.shortcut.link_delete_inline: path: '/admin/config/user-interface/shortcut/link/{shortcut}/delete-inline' defaults: _controller: 'Drupal\shortcut\Controller\ShortcutController::deleteShortcutLinkInline' requirements: _entity_access: 'shortcut.delete' _csrf_token: 'TRUE' Only the one line in the requirements: section needs to be added to protect shortcut deletion from CSRF.

7. Trusted host patterns enforced for requests

Many Drupal sites will respond to a page request using an arbitrary host header sent to the correct IP address. This can lead to cache poisoning, bogus site emails, bogus password recovery links, and other problems with security implications. For earlier versions of Drupal, it can be a challenge to correctly configure the webserver for a single site that uses sites/default as its site directory to prevent these host header spoofing attacks. Drupal 8 ships with a simple facility to configure expected host patterns in settings.php and warns you in the site status report if it's not configured.

8. PDO MySQL limited to executing single statements

If available, Drupal 8 will set a flag that limits PHP to sending only a single SQL statement at a time when using MySQL. This change would have reduced the severity of SA-CORE-2014-005 (a SQL injection vulnerability that was easily exploited by anonymous users) (7.x back-port)
. Getting this change into Drupal 8 meant I first had to contribute a small upstream change to the PHP language itself, and to the PDO MySQL library that is available in PHP versions 5.5.21 or 5.6.5 and greater. There is also a patch in progress to try to enforce this protection regardless of which specific database driver is being used.

9. Clickjacking protection enabled by default

A small change, but Drupal 8 sends the X-Frame-Options: SAMEORIGIN header in all responses by default. This header is respected by most browsers and prevents the site from being served inside an iframe on another domain. This blocks so-called click-jacking attacks (e.g. forms or links on the site being presented in a disguised fashion on an attacker's site inside an iframe), as well as blocking the unauthorized re-use of site content via iframes. (7.x back-port).

10. Core JavaScript API Compatible with CSP

Support for inline JavaScript was removed from the #attached property in the Drupal render API. In addition, the Drupal javascript settings variables are now added to the page as JSON data and loaded into a variable instead of being rendered as inline JavaScript. This was the last use of inline JavaScript by Drupal 8 core, and means that site builders can much more easily enable a strict content security policy (CSP) – a new web standard for communicating per-site restrictions to browsers and mitigating XSS and other vulnerabilities. A final note of caution: The substantial code reorganization and refactoring in Drupal 8 as well as the dependence on third party PHP components does present a certain added risk. The code reorganization may have introduced bugs that were missed by the existing core tests. The third party components themselves may have security vulnerabilities that affect Drupal, and at the very least, we need to track and stay up to date with them and fix our integration for any corresponding API changes. In order to try to mitigate the risk, the Drupal Association has been conducting the first Drupal security bug bounty that has been run for any version of Drupal core. This has uncovered several security bugs and means they will be fixed before Drupal 8 is released.

- Source: https://goo.gl/i2CCxj

Development

We do Web development

Go to our Web development page!

Visit page!

Recommended Stories

DrupalDrupal 8
Is Drupal Good for eCommerce? 11 Excellent Reasons Why You’d Choose It over Another Platform

Is Drupal Good for eCommerce? 11 Excellent Reasons Why You’d Choose It over Another Platform

    "... wanna run eCommerce on Drupal 8 but don't know if it's a good idea."   But is Drupal good for eCommerce?    And, most of all: Is it better suited for your own online business needs and feature requirements than other eCommerce platforms out there? Some legitimate questions you're struggling with there… To give you a hand, here's a list of 11 excellent reasons why you'd lean towards Drupal eCommerce solutions for building your e-commerce site.    Reason #1: You're in Full Control of the Source Code to Make Any Changes You Want In other words, you don't need to convince the vendor first that the changes you need to make are beneficial for him/her. You're free to extend Drupal eCommerce platform's core functionality, to adapt, and extend its code till it meets your needs entirely.    … till it integrates perfectly into that specific software that you use.   Which is not the case when you go for a commercial solution: you're not granted access to the core code for any custom software development work that you might need to make. Of course, this "reason" becomes a really strong selling point only if/when: you have non-standard business requirements it's a large, complex eCommerce website that you're building Reason #2: Your eStore Grows With Drupal  Drupal scales with your business... effectively.   And by that I mean that it's designed to keep the resources and the time required to handle your online store's growth at a minimum.   Being: flexible by nature (its open-source nature) powered by the API-first initiative … Drupal eCommerce solutions make the best choice if "scalability" is on top of your list of requirements.   Reason #3: You Get to Reach Out to Your Customers Across Multiple Channels  "Is Drupal good for eCommerce?"   It becomes the perfect option for your own eCommerce website if you're planning to reach out to your customers across an entire network of sales channels, thus boosting your digital marketing efforts.  Let's say you have your main/central eCommerce website and you need to pull content from there and to distribute it across a whole ecosystem of channels — eCommerce apps, digital kiosks, conversational interfaces — and devices. Then, the API-first initiative allows you to tap into a headless commerce Drupal architecture and: use Drupal as a back-end content repository configure your content to fit all types of formats and reuse it whenever (and wherever) needed increase your outreach incorporate business automation into your development team's workflow: help them work smart and achieve more Reason #4: You Get to Deliver Content-Driven eCommerce Experiences With Drupal, you get the best of both worlds:   an eCommerce platform (by integrating one of its specialized eCommerce modules into the content management system) a content platform   And this is what makes it ideal for: tapping into the experience-led eCommerce model getting the most out of your content marketing efforts (think blog posts, effectively interconnected product pages, user guides, etc.) Reason #5: You're Free to Integrate Any Third-Party Service into Your Online Store From: marketing platforms to analytics services to payment gateways of your choice (there are 80+ payment options available with Drupal Commerce) to third-party add-ons that would automate your team's tasks and boost their productivity (while boosting online sales, as well) … Drupal & its eCommerce component accommodates any type of integrations you need to make.   Reason #6: "Is Drupal Good for eCommerce?" It Is for Delivering High-Speed eCommerce Experiences Just think… real-time shopping cart updates.  Or pretty much any action that your customers would need to carry out on your eCommerce site, then turbocharge it with top speed. A decoupled Drupal Commerce setup (add the JavaScript framework of your choice here) enables you to deliver such type of dynamic user experiences.    Reason #7: You Have No Limits to How Much You Can Extend Your Drupal 8 eCommerce Website Drupal Commerce can grow as much as your business needs. Whether you need to integrate: a whole network of third-party systems a whole lot of contributed modules an eCommerce Drupal distribution (a bundle of multiple modules) a Drupal eCommerce theme  … and extend your eCommerce store's functionality, there's no limit to what you can incorporate into your Drupal eCommerce website.   Reason #9:  You Benefit from an Extremely Configurable eCommerce Solution "Whereas eCommerce solutions are often developed with an application mindset, highlighting what you can do with it out of the box, Drupal eCommerce solutions were developed with a framework mindset, focusing on what you can build with them." (Source: Drupal.org)   Basically, you're free to customize every little piece of your Drupal 8 eCommerce site, till it: delivers that unique shopping experience you want it to meets all your ultra-personalized requirements: to trigger certain actions based on user input, to display multiple tax rates, to have an out-of-the-ordinary checkout flow, etc. Here, it's up to you and it depends on what you need to build: Are you looking for a cookie-cutter eCommerce solution, that would help you get a generic webshop up and running in no time? Or do you want unlimited customization freedom, that comes at the cost of…  investing more time in writing custom code?   Reason #10: You're Free to Sell Both Physical and Digital Goods And that thanks to Drupal Commerce's flexibility:   It provides you with the functionality you need to start building your product catalog and selling your digital products — subscriptions, tickets, online courses, etc. — on your online store. A key aspect to consider when comparing the features of your best options in terms of eCommerce platforms in 2020.   Reason #11: You Can Make the Most of the Granular and Differential Access to Content Drupal allows you to define different roles for your team members and to assign several levels of permission to each role. Not everyone would then be authorized to edit content, add products, manage orders, publish content, etc. This way you get to: set up a convenient hierarchy harden your online store's security  So, Is Drupal Good for eCommerce? Maybe a more appropriate question would be: "Is Drupal the right solution for my eCommerce business?"  It might be... And these 11 reasons mentioned here do become the best arguments for you to choose it over another platform (Ubercart, Prestashop, Shopify…) if: it's a growing or an already established eCommerce business that you run (otherwise, all that configuration and custom work might be an overkill for a small business) you have complex feature needs for your online store: you need to integrate it with coupon rules, several backend systems, and so on Do you fit the eCommerce business owner "profile"? For we do fit the profile of that Drupal eCommerce agency and development company you're looking for, capable to tweak it till it fits your complex requirements to the slightest detail. Just challenge us and see how Drupal eCommerce solutions can accelerate business outcomes.    ... Read more
Adriana Cacoveanu / Aug 10'2021
DesignDrupalDrupal 8Web Design
What Are the Benefits of Web Accessibility for Your Business?

What Are the Benefits of Web Accessibility for Your Business?

  For people with disabilities, web accessibility is highly beneficial. They use multiple assistive technology tools that often require accessible web design and apps to function properly.  It is obvious how web accessibility benefits users with disabilities, but what about businesses? What are the advantages of building accessible sites for your company? Keep reading, and you'll discover seven key benefits of making your website ADA-compliant.    Why do companies hesitate to invest in web accessibility?   A survey of around 500 U.S. business leaders and web designers shows the main reasons behind the reluctance of some companies to make a website accessible. Most of the respondents confessed they are worried about the financial investments and potentially high costs (73.6%), while 66.9% think optimizing their sites for accessibility will require too much time.  We are here to tell you that making your website accessible for people with disabilities doesn't require too many resources, will highly benefit the user experience, and most probably keep you away from web accessibility lawsuits.    7 Benefits of Making Your Website Accessible   1. Increased traffic on your site. There's a myth regarding accessible websites that says accessibility only benefits the visitors. However, by improving the user experience and making it accessible for anyone, you plant the seeds for: Higher traffic rates on your site Better user engagement Improved search engine optimization rankings Higher conversion rate   2. Lower risk of legal complications. As legal requirements regarding web accessibility are getting tougher, optimizing your site for people with disabilities becomes non-optional—unless you don't mind being prosecuted. Make sure your site meets specific accessibility guidelines and pay attention to the accessibility standards required by the industry that you're operating in.    3. Bigger customer base. Making your website accessible means addressing the needs of bigger social groups, and that, in the long term, could lead to you growing your customer base. By investing in accessible design, you can attract more visitors that are likely to engage with your brand on a long-term basis.   4.  A more innovative business mindset. Building accessible design for your website visitors challenges you to deal with unanticipated issues and thus puts your creativity at work.  The constraint of adapting your design so that it incorporates a whole set of accessibility features challenges you to... come up with innovative solutions—and to preserve that mindset for innovation in the long term. In the current dynamic digital landscape, staying creative and ready for innovation is key to keep up with the ever-changing trends.    5. Boosted SEO efforts.  You can improve your site's accessibility by adding ALT-text to images, writing clear content, or choosing a clutter-free page layout. All of these steps also mean good SEO practices.  So, by making your website more accessible, you're also making it more SEO-friendly. You probably already know the importance of investing in robust SEO strategies in today's digital landscape. It's all about how high you rank on SERPs and the level of visibility that your website is gaining.    6. Improved brand reputation.  Accessibility is also essential for your business as it helps grow your brand reputation. By ensuring your website's universal design grants equal rights and easy access to your content, you raise awareness and build a positive reputation around your business.  Today, having an inaccessible website is the digital equivalent of sticking a big KEEP OUT sign in front of your business.    7. Faster page loading time.  It has been proven that if you improve a page's level of accessibility, you boost its speed score. As modern internet users demand fast website experiences, you want to improve your page loading times to keep up with your visitors' needs. By implementing features designed for users with disabilities, you're making your site a better place for all users.    There are many ways in which you can promote accessibility on your website. For example, users that struggle with visual impairments benefit the most from screen readers to help them understand the content on a particular website. This is a way to make your website accessible for people with sight issues and offer some support in making their daily lives a bit easier.    Hopefully, this article sheds some light on the importance of web accessibility for your business and how building a universal design for your site can positively impact your brand.  For more insights on how Optasy can help you make your website more accessible, check out our Drupal Website Accessibility services.    Photo credit: Wirestock on freepik.       ... Read more
Raluca Olariu / Jul 12'2021
DrupalDrupal 8
6 Experts Talk About the Advantages of Using Drupal

6 Experts Talk About the Advantages of Using Drupal

  As the digital landscape is constantly evolving, there is increased pressure on web content management systems (CMSs) to keep pace with the needs of the modern consumer.  To meet these complex demands that revolve around highly personalized and interactive web experiences and streamlined connectivity between devices, companies require websites that can support these goals.  One of the most powerful enterprise-level CMS platforms, Drupal, can handle more complex projects and its capabilities, as the Drupal founder, Dries Buytaert, reveals, only get better with experience.    Why is Drupal web development the right choice?   There are multiple competitive advantages that organizations can reap from using Drupal to handle their online presence. How do you know if Drupal is the right choice for your next web development project? Check out this list of key features and capabilities that Drupal offers and see how they can fit in with your needs and demands.   Are you looking to highly customize your website and content? Drupal's widely-known customizing power allows you to adjust and edit over 16,000 plug-ins and modules. If you need a CMS that can support your web development projects by implementing additional custom features like CRM, security, or SEO, with a focus on customizability, then Drupal might be the best fit.   What do the experts say? Nick Wilde, a Full-stack developer (including DevOps) at North Studios, thoroughly recommends Drupal for companies looking to change and customize their digital approaches:  "I love a *lot* of the changes in Drupal 8 compared to 7 or 6, but most of them didn't really change the way I worked. I mean, sure, using slightly different hooks etc. - but that's not really any different than integrating with different modules to my mind at least. What really did change my way of working was the Configuration Management Initiative's work, and by changed I mean massively improved. Yes, some degree of custom integration is possible with Drupal 7 with hook_update_N() and/or the features module, but in Drupal 8, a solid reproducible, testable CI and deployment process is not just possible but easy. (Yes, I'm a smidge of a fanatic about DevOps and process, despite being primarily a developer). When doing complex back-end work, moving to an Object Oriented system has felt like coming home since I started programming with Python in an OOP code-base.”   Is flexibility important for your web development project? A major selling point of Drupal lies in its rich potential to build and manage a wide range of content types, whether it is a blog post, podcast, or any other custom content types. By enabling a flexible design platform, Drupal allows users to create and manage content-rich media or eCommerce sites.    What do the experts say? Alex Moreno, a software architect, based in London, is helping big companies with their Drupal and IoT projects and has revealed how he uses Drupal's flexible core capabilities to catch up with the ever-evolving technology transformations: “Although you could flex Drupal 7 to adapt to this changing environment, the real power and flexibility comes with having a Drupal 8 architecture, where this flexibility is already in the core. That has implications for performance, adaptability, simpler architecture of services around Drupal, etc.”   Are you considering scalability as an important asset for your web project? If so, Drupal is a winning choice. When accommodating content growth becomes a challenge, Drupal steps in with its tremendously scalable capabilities and supports your growth in an effortless manner.    What do the experts say? Drupal expert, Malabya Tewari, talks about how Drupal Modules can help build a responsive design and flexible user experiences: “When I started my career with Drupal 6 briefly and then moved on to Drupal 7, I really liked the abundance of modules Drupal 7 had. ‘There is a module for that’ was a common statement while building a feature. When I transitioned to Drupal 8 and when it was in its pre-release state, there were no contributed modules. Of course, views and entity reference were in core, but it lacked the huge pool of modules that Drupal 7 had. Instead, Drupal 8 had some great flexible and robust components which mostly worked for me. Even though there was a lot of learning to do, pretty soon I got the hang of it and found out that you don't need a module for that. That's how it changed my working approach with Drupal 8 because I can build a lot of great things without any contributed module.”   Do you need greater functionality around your site's translation capabilities? Drupal 8 supports 100 different languages for translation, and these multilingual features come with the installation interfaces. That means that you can build your multilingual Drupal website easier than ever before, at no additional costs.    What do the experts say? Penyaskito is a Drupal contributor and developer at Lingotek, who manages a cloud-based translation management system for their clients. He speaks highly of Drupal's multilingual capabilities: “Thanks to the Drupal 8 Multilingual Initiative, translation is not an afterthought in Core anymore. And thanks to the clean APIs that were designed with this in mind, we are able to improve every day functionalities for our clients in our integration with Drupal 8. While with other CMS we devote time constantly to integrate with contributed modules or alike, we can focus on new functionalities as this APIs make us compatible with most contrib modules out of the box without any extra effort on our side.”   Are you interested in building a content management framework based on API architectures? Drupal's caching modules support faster page loading, optimized bandwidth, and a robust web performance to meet the needs of the modern digital consumer. Whether used for content publishing or for optimizing the user interface, Drupal's 8 API-based architecture is a top upgrade compared to previous versions.    What do the experts say? Let's see what Dries Buytaert, the father of Drupal and CTO of Acquia, has to say about Drupal's web service APIs: “You want to enable your developers to easily deliver content to different devices, channels, and platforms. This means that the content needs to be available through APIs. This is aligned with Drupal 8's roadmap, where we are focused on web services capabilities. Through Drupal's web service APIs, developers can build freely in different front-end technologies, such as Angular, React, Ember, and Swift, as well as Java and .NET. For developers, accomplishing this without the maintenance burden of a full Drupal site or the complexity of configuring standard Drupal to be decoupled is key.”   If you are not yet sure about choosing Drupal for your next web development project, we are more than happy to help you with professional advice tailored to your needs and demands. Contact us and let's start your outstanding web development project. Also, you can check our Drupal Maintenance services as well.    Here's another quote from a Drupal expert, Nick Lewis, on how Drupal 8 is influencing the way he approaches his tasks:  “Drupal 8 is looking very interesting indeed, a big leap forwards from its previous versions. I’m busy working out how to get D8 modules up and running for a client project. Well I am working on a project right now for a large global fast food outlet (here in the UK), switching from one very popular CRM system into D8 as it will cut costs tremendously and not only that, recruitment will be easier given Drupal’s wide adoption in the community.”   Photo credit: Den Harrson on Unsplash.  ... Read more
Raluca Olariu / Jul 01'2021

Need a new Project?

Dare us to shape and boost your idea(s)!

Start a Project

(416) 243-2431

Contact

(416) 243-2431

Toronto Downtown

First Canadian Place,
100 King St. W. Suite 5700, Toronto

Toronto West

2275 Upper Middle
Rd. E, Suite 101
Toronto

New York

1177 Avenue of the
Americas, 5th Floor,
New York