In light of the recent COVID-19 pandemic - OPTASY would like to offer DRUPAL website support for any Health Care, Government, Education and Non-Profit Organization(s) with critical crisis communication websites or organizations directly providing relief. Stay Safe and Stay Well.

10 Ways Drupal 8 Will Be More Secure

10 Ways Drupal 8 Will Be More Secure

by Adrian Ababei on Oct 23 2015

Security is very hard to bolt on to any software or product after it has been built. Building it into the core of the code helps to avoid mistakes, and thus the upcoming release of Drupal 8 tries to build in more security by default, while still being usable for developers and site builders. This list of 10 security improvements is not exhaustive - some are just a line or two to handle an edge case, and there are others I may have overlooked. I've contributed to a number of these improvements, but they reflect overall the community consensus as well as reactions to problems that required security releases for Drupal core or contributed modules in the past. For each point I've tried to include a link or two, such as the Drupal core change record, a documentation page, or a presentation that provides more information. Some of these may also be possible to back-port to Drupal 7, to benefit you even sooner. A "7.x back-port" link indicates that. For context on why these 10 improvements are important, I looked at past security advisories (SAs) as well as considering the kind of questions we get here at Acquia from companies considering adopting Drupal. In terms of past SAs, cross-site scripting (XSS) is the most commonly found vulnerability in Drupal core and contributed modules and themes.

1. Twig templates used for html generation

This is probably first on the list of anyone you ask about Drupal 8 security. This is also one of the most popular features with themers.

 One security gain from this is that it enforces much stricter separation of business logic and presentation – this makes it easier to validate 3rd party themes or delegate pure presentation work. You can't run SQL queries or access the Drupal API from Twig. 


 

In addition, Drupal 8 enables Twig auto-escaping, which means that any string that has not specifically flagged as safe will be escaped using the PHP function htmlspecialchars() (e.g. the same as Drupal 7 check_plain()). Auto-escaping of variables will prevent many XSS vulnerabilities that are accidentally introduced in custom site themes and custom and contributed modules. That fact is why I ranked this as number one. XSS is the most frequent security vulnerability found in Drupal code. We don't have a lot of hard data, but based on past site audits we generally assume that 90% of site-specific vulnerabilities are in the custom theme.


2. Removed PHP input filter and the use of PHP as a configuration import format

OK, maybe this should have been number one. Drupal 8 does not include the PHP input format in core. In addition to encouraging best practices (managing code in a revision control system like git), this means that Drupal no longer makes it trivial to escalate an administrator login to being able to execute arbitrary PHP code or shell commands on the server. 
 For Drupal 7, importing something like a View required importing executable PHP code, and for certain custom block visibility settings, etc. you would need to enter a PHP snippet. These uses of evaluated PHP (exposing possible code execution vulnerabilities) are all gone – see the next point about configuration management.
 Now that we have covered the top two, the rest of the 10 are in rather arbitrary order.

3. Site configuration exportable, manageable as code, and versionable

The Configuration Management Initiative (CMI) transformed how Drupal 8 manages things that would have been represented in Drupal 7 as PHP code. Things like Drupal variables or ctools exportables (e.g. exported Views).

 CMI uses YAML as the export and import format and the YAML files can be managed together with your code and checked into a revision control system (like git). 
 Why is this a security enhancement? Well, in addition to removing the use of PHP code as an import format (and hence possible code execution vulnerability), tracking configuration in code makes it much easier to have an auditable history of configuration changes. This will make Drupal more appealing and suitable for enterprises that need strict controls on configuration changes in place. In addition, configuration can be fully tested in development and then exactly replicated to production at the same time as any corresponding code changes (avoiding mistakes during manual configuration).
 Finally, it is possible to completely block configuration changes in production to force deployment of changes as code.


4. User content entry and filtering improved

While the integration of a WYSIWYG editor with Drupal core is a big usability improvement, extra care was taken that to mitigate poor practices that adding a WYSIWYG editor encouraged in past Drupal versions. In particular, users with access to the editor were often granted access to the full html text format, which effectively allowed them to execute XSS attacks on any other site user.

 To encourage the best practice of only allowing the use of the filtered HTML format, the Drupal 8 WYSIWYG editor configuration is integrated with the corresponding text filter. When a button is added to the active configuration, the corresponding HTML tag is added to the allowed list for the text filter.
 Drag a new button from the available to enabled section in the editor configuration: WYSIWYG editor configuration adding underline button The corresponding HTML tag (the U tag) is added to the allowed list: U tag is allowed in the filter An additional security improvement is that the core text filtering supports limiting users to using only images local to the site which helps prevent cross-site request forgery (CSRF) and other attacks or abuses using images.

5. Hardened user session and session ID handling

There are three distinct improvements to session and session cookie handling. First, the security of session IDs has been greatly improved against exposure via database backups or SQL injection (7.x back-port ). Previously in Drupal, the session ID is stored and checked directly against the incoming session cookie from the browser. The risk from this is that the value from the database can be used to populate the cookie in the browser and thus assume the session and identity of any user who has a valid session in the database. In Drupal 8, the ID is hashed before storage, which prevents the database value from being used to assume a user's session, but the incoming value from the value is simply hashed in order to verify the value.
 Next, mixed-mode SSL session support was added to core to support sites that, for example, used contributed modules to serve the login page over SSL while other pages unencrypted. You will have to replace the session handling service if you really need this. This encourages serving your entire site over SSL (which is also a search engine ranking boost).

 The final change is that the leading “www.” is no longer stripped from the session cookie domain since that causes the session cookie to be sent to all subdomains (7.x back-port).

6. Automated CSRF token protection in route definitions

Links (GET requests) that cause some destructive action or configuration change need to be protected from CSRF, usually with a user-specific token in the query string that is checked before carrying out the action. 

This change improves the developer experience and security by automating a process frequently forgotten or done incorrectly in contributed modules. In addition, centralizing the code makes it easier to audit and provide test coverage. Drupal 8 makes it easy. A developer merely needs to specify that a route (a system path in Drupal 7 terms) require a CSRF token. Here is an example of the YAML route definition for a protected link in Drupal 8 entity. entity.shortcut.link_delete_inline: path: '/admin/config/user-interface/shortcut/link/{shortcut}/delete-inline' defaults: _controller: 'Drupal\shortcut\Controller\ShortcutController::deleteShortcutLinkInline' requirements: _entity_access: 'shortcut.delete' _csrf_token: 'TRUE' Only the one line in the requirements: section needs to be added to protect shortcut deletion from CSRF.

7. Trusted host patterns enforced for requests

Many Drupal sites will respond to a page request using an arbitrary host header sent to the correct IP address. This can lead to cache poisoning, bogus site emails, bogus password recovery links, and other problems with security implications. For earlier versions of Drupal, it can be a challenge to correctly configure the webserver for a single site that uses sites/default as its site directory to prevent these host header spoofing attacks. Drupal 8 ships with a simple facility to configure expected host patterns in settings.php and warns you in the site status report if it's not configured.

8. PDO MySQL limited to executing single statements

If available, Drupal 8 will set a flag that limits PHP to sending only a single SQL statement at a time when using MySQL. This change would have reduced the severity of SA-CORE-2014-005 (a SQL injection vulnerability that was easily exploited by anonymous users) (7.x back-port)
. Getting this change into Drupal 8 meant I first had to contribute a small upstream change to the PHP language itself, and to the PDO MySQL library that is available in PHP versions 5.5.21 or 5.6.5 and greater. There is also a patch in progress to try to enforce this protection regardless of which specific database driver is being used.

9. Clickjacking protection enabled by default

A small change, but Drupal 8 sends the X-Frame-Options: SAMEORIGIN header in all responses by default. This header is respected by most browsers and prevents the site from being served inside an iframe on another domain. This blocks so-called click-jacking attacks (e.g. forms or links on the site being presented in a disguised fashion on an attacker's site inside an iframe), as well as blocking the unauthorized re-use of site content via iframes. (7.x back-port).

10. Core JavaScript API Compatible with CSP

Support for inline JavaScript was removed from the #attached property in the Drupal render API. In addition, the Drupal javascript settings variables are now added to the page as JSON data and loaded into a variable instead of being rendered as inline JavaScript. This was the last use of inline JavaScript by Drupal 8 core, and means that site builders can much more easily enable a strict content security policy (CSP) – a new web standard for communicating per-site restrictions to browsers and mitigating XSS and other vulnerabilities. A final note of caution: The substantial code reorganization and refactoring in Drupal 8 as well as the dependence on third party PHP components does present a certain added risk. The code reorganization may have introduced bugs that were missed by the existing core tests. The third party components themselves may have security vulnerabilities that affect Drupal, and at the very least, we need to track and stay up to date with them and fix our integration for any corresponding API changes. In order to try to mitigate the risk, the Drupal Association has been conducting the first Drupal security bug bounty that has been run for any version of Drupal core. This has uncovered several security bugs and means they will be fixed before Drupal 8 is released.
- Source: https://goo.gl/i2CCxj

Development

We do Web development

Go to our Web development page!

Visit page!

Recommended Stories

Top 10 Drupal Websites in Australia: From the Most Impressive to the Most Visited Ones
They're visually-appealing, highly popular, built on top of robust structures, so that they should "cope with" with huge amounts of traffic and content... These are but some of the things that the top 10 Drupal websites in Australia have in common. But which are they, more precisely? Australia's finest examples of websites using Drupal? We've done our research and put together a 10 best list for you. Let's dive right into it:   1. Australian Nuclear Science and Technology Organisation(ANSTO)   "Australia's research and development organization, and the center of Australian nuclear expertise..." (source: directory.gov.au) And the presentation could go on with other superlatives to "wow" you with:   Australia's most important science infrastructure (one of) Australia's largest public research organizations it sums up more than 1000 experts that use nuclear techniques to find the answer to various medical, environmental, and industrial challenges   A significant content load? A large team of content editors in need of the most robust tools to streamline their content management workflow with? The web project had Drupal 8 written all over it... And it quickly became one of the top 10 Drupal websites in Australia. Why Drupal? Because Drupal provides the best editing experience. Content managers are free to build new custom pages on their own, by just selecting and assembling pre-designed blocks. Not to mention that the "component-based" approach to design ensures consistency throughout the website and, implicitly... the best user experience, as well.    2. University of Technology, Sidney The University of Technology Sidney (UTS), Australia's #1 university and the 10th best one in the world, also has its website running on Drupal. Drupal is the platform that powers a lot of higher education websites worldwide, so... no surprise here, right? The reasons why UTS chose Drupal are obvious:   their multi-site structure incorporates no less than 150 UTS sub-sites the "cluster" of mini-sites needed a central content hub and a unified platform the internal content team needed enough freedom and flexibility to create, edit, and publish content across the entire network of sub-sites they needed to integrate lots of third-party systems (e.g. systems sourcing course information)    In short:   Drupal makes the perfect choice for multi-site setups it integrates seamlessly with third-party apps it provides the best editorial experience   3. The Australian Government       Undoubtedly one of the top 10 Drupal websites in Australia.  "The Government of Australia is standardizing on Drupal for hundreds of government departments and agencies across Australia, starting with the country’s homepage. Drupal enhances digital services to millions of citizens." (source: Drupal.org)   Why Drupal? For multiple reasons:   Drupal's ideal for multi-site architectures Drupal provides a granular permission system it integrates with lots of third-party services and solutions (payment systems, citizen service centers, various "latest news" sources)  it's one of the most secure CMS platforms: Drupal has its own dedicated Security Team and a foolproof process for monitoring, identifying, and publishing any security issues it's flexible, giving unmatched freedom to content editors and website admins: anyone from the internal team can update content on the website quick and easy Source: Drupal.org   4. Bunjil Place     The "home of arts and entertainment in the City of Casey" is Drupal-powered.  And it's probably one of the most visually impressive examples of Drupal websites from Australia. A high-trafficked website, that "bids on" Drupal 8 to provide an interactive user experience. Source: PreviousNext.com Now, if we were to list just some of the strongest reasons why Drupal was the best option for this Australian website:   the diversified content hosted on the website (text, video, eye-catching images), that falls into multiple sections and subsections the need for a new responsive design the need to incorporate some powerful user-oriented functionalities (e.g. visitors can easily book spaces in the palace for their future events)   Drupal was the only choice here... 5. The Australian Drupal's already famous for being the best CMS solution for news websites. And the CMS platform is behind the online presence of "The Australian" — Australia's national news brand — as well. A high-trafficked, content-packed website, with content that needs to be updated on the fly, on a regular basis.  They couldn't have opted for another platform than Drupal... 6. Australian Conservation Foundation, One of the Top 10 Drupal Websites in Australia   Australia's national environment organization — over 600,000 people — has its website running on Drupal. It's a campaign-driven site, one of the most popular Drupal-based websites in Australia, that leverages the CMS platform's top features to:   manage all their content workflows with great ease engage their member database and anyone willing to address urgent environmental problems via social networking, donation processing, event management, analytics, fundraising   A website that needed to withstand high amounts of traffic and to support complex content workflows: Drupal was the most suitable CMS solution.   7. Australian War Memorial "The Memorial's purpose is to commemorate the sacrifice of those Australians who have died in war or on operational service and those who have served our nation in times of conflict." (source: awm.gov.au) One of the top 10 Drupal websites in Australia that turned this CMS platform into a reliable publishing tool for all the historians, researchers, and designers accessing it. We're talking here about a content-heavy website, hosting content that ranges from:   war-related material to extensive archive to a database of unique collections of film footage, artworks, sound recordings to articles on Australia's military history   And where there's rich and varied content, that needs to be handled with ease by various internal teams, there's Drupal, as well. Drupal with its:   robust inline content creation and editing tools sophisticated access control system   8. Charles Darwin University  One of Australia's public universities and one of the world's most reputed universities (among the top 2% universities on the globe) has its website running on Drupal. And for all the self-evident reasons:   they needed to provide internal users with the best experience: Drupal enables content editors to create their custom course pages by simply putting together pre-built components they also needed to provide an intuitive search experience to all the external users: Drupal makes it easy for students to find, review courses, and sign up   9. International Business Times Australia   The Australian version of this digital news publication is built on Drupal. But is it of any surprise that the go-to source of financial news in Australia has chosen this CMS platform to build its online presence on? After all:   news publications are Drupal's "specialty" Drupal's already famed for powering some of the most content-intensive websites in the world  Drupal's gained a reputation for being the CMS that provides the best content editing experience: the internal team at International Business Times Australia can create, update, and publish new content on the go   10. Car News Australia       One of the top 10 Drupal websites in Australia, that stands out from the crowd as a high-trafficked one. Its complex content ecosystem has turned Drupal into the Carsguide team's only option. The site's an intricate network of 7 different sections — "buy + sell", "reviews", "news", "advice"... — that unfold, each, into "clusters" of multiple sub-sections. A content network that called for a CMS with particularly powerful content creation and editing features. A content-rich architecture that's now powered by Drupal.   The END! We're curious now: what other famous brands are on your own top 10 Drupal websites in Australia? Photo by Iván Lojko on Unsplash  ... Read more
Adriana Cacoveanu / Apr 03'2020
5 Drupal Blog Posts That Have Made It to the Favorites Lists of All the OPTASY Team Members this Month
This month's "surreal" events have shaken the world as we had known it. They have "closed" us safely inside our homes, stopped us from doing many of what we had considered as "ordinary" activities, but it hasn't stopped us from... reading. And Drupal blog posts are always on our reading lists. We've recently compared our lists of favorites, put together OPTASY's monthly selection, which includes those Drupal articles that most of our team members found valuable, and... we're now ready to share it with you. Here they are: OPTASY's top 5 favorite Drupal tutorials, guides and insights in March.   1. Getting Started with the Gutenberg Editor in Drupal We, too, have recently shone some light on the Gutenberg module for Drupal 8, one of the latest layout tools added to Drupal's toolbox.  A tool aimed at improving the editing experience in Drupal. While doing our research, we “bumped into” this blog post. And it quickly became one of the team's favorite Drupal blog posts of the month since:   it's concise and to the point it's neatly structured it includes all the information that anyone interested in taking this Drupal page builder for a “spin” could possibly need From:   installation to configuration to the final step, where you use the Gutenberg Editor to publish content on your Drupal landing page   … the blog post takes you through all the steps you need to take to get yourself familiarized with using this site building tool. Source: Opensource.comNote: we loved that the Opensource team insisted on highlighting those Gutenberg features that are specific to the Drupal integration only (you won't find them in the WordPress plugin):   granular permission placeholder content the possibility to add Drupal blocks inline 2. Drupal Website Accessibility in Review: Key Features & Useful Modules “How to implement web accessibility?” “How do I make my website WCAG compliant?” Any responsible Drupal website owner asks himself this kind of questions these days. No one wants to risk getting sued for having underestimated the importance of color contrast. Or the importance of displaying web forms that can be easily filled in by all the website visitors. But what if your CMS helped you check off most of the recommendations on the W3C accessibility checklist by... default? This is what Drupal 8 helps you with.  And this is what the Wishdesk team's post, one of the best Drupal blog posts in March, is all about. It makes a useful inventory of Drupal's built-in accessibility features and contributed accessibility modules. “What makes Drupal 8 accessible out of the box and easily extendable, helping you reach even the “nice to have” accessibility levels on your website?” The post has all the answers to your question. Source: WishDesk.com It outlines all of Drupal's built-in features for accessibility:   the accessible inline form errors the shiny and new Olivero front-end theme the ALT text for images required by default in Drupal 8 ...   Then, it covers the key contributed modules that you could enable to further boost your website's level of accessibility: CKEditor Abbreviation, Siteimprove, Automatic Alternative Text, HTML Purifier, etc. A useful checklist to keep at hand whenever we add or improve accessibility on our clients' Drupal websites. 3. Using Drupal in a Pandemic, One of Our Top Favorite Drupal Blog Posts The Lullabot team stroke again. Just that this time it wasn't a valuable Drupal tutorial/technical guide that they put together, but a list of Drupal mindsets that we can all apply in the context of the COVID-19 pandemic. And the similes that they found and pinpointed are just fantastically... appropriate. Here are just some examples:   3.1. As Drupal contributors, we've come to learn that we can also help the community by stepping back and letting other contributors step forward. Likewise, we can still join the fight against COVID-19 by simply... staying home.Source: Lullabot.com   3.2. Over time, we've learned that by “getting off the Drupal island” and partnering with other communities we could help push Drupal forward. Likewise, these days we need to step out off our own circles of needs and put our skills and technical knowledge to work for others in need. Or for those who are directly involved in providing relief.   3.3. “Community” is the best term for defining Drupal. It's a community of contributors working together and not a community of individualistic “rock stars” contributing, each, merely for his/her own fame and gratification. Likewise, there's no way that we can fight this pandemic by being selfish and egocentric. We need to join forces. To join the global community of people who're applying the “social distancing” measures. It's something that we can all do and that we can all benefit from.   And these are but some of the Drupal-specific principles that the Lullabot team managed to turn into clear responses to the crisis that we're living. We invite you to discover their other Drupal lessons that you, too, can easily turn healthy mindsets these days.   4. Set Up Product Attributes in Drupal Easily & Boost Online Sales A useful step-by-step tutorial on how to set up product attributes on a Drupal Commerce website. Why has it made it to our list of favorite Drupal blog posts of the month?   because it tackles an all too common “To do” on the lists of our Drupal projects: setting up product attributes properly, in a way that's easy to manage by the site admins/editors and easy to scan through and to select from for the end-user because it's clearly written, with lots of helpful print screens and a logic structure    In short: it's an honest tutorial, written in a clear and accessible style, that shows you exactly how to set up product attributes in your online Drupal store. From the point where you add a new product attribute, all the way to the final step, where you connect that attribute to the specific product variation type on your e-commerce website. Source: Druedesk.com   5. Concurrent Editing in Drupal 8: Possible or Not?   “How do you implement concurrent editing in Drupal? Is there a solution for it already in Drupal core?” This is the question that the QED42 team asked themselves when they faced the challenge of setting up a system where multiple content creators could access and edit, simultaneously, yet independently, layouts and widgets in a Drupal app. Source: QED42.com And it's this problem, that they had to find an answer to while working on their project, that made them share their findings in the form of a useful blog post. A post that brings forward 3 modules that the team evaluated as possible solutions for concurrent editing in Drupal:   Paragraph Frontend UI Conflict Content Lock   What makes it set itself apart from other Drupal blog posts that we've read in March?   it's focused on a real Drupal limitation ... one that many Drupal teams struggle to find an answer to while working on their clients' projects: how to enable distributed editorial teams to edit content simultaneously, with zero conflicts that might arise from their concurrent actions it presents multiple possible Drupal solutions to it, each one with its strengths and weaknesses it shares their own custom solution to this Drupal shortcoming: turning the widget creation into a decoupled, separate node, and referring all those widget nodes into the Layouts   Useful, usable, relatable. In short, it's a Drupal blog post valuable enough to add it to our own resources list.   The END! Your turn now:  How does your own list of March favorites look like? What valuable Drupal guides, tutorials, and insights have you run into this month?Photo by Annie Spratt on Unsplash ... Read more
Adriana Cacoveanu / Mar 31'2020
Drupal Layout Builder vs Gutenberg: How Do You Know Which Page Builder’s Right for You? 
Drupal Layout Builder vs Gutenberg: which of these 2 next-generation site-building tools to use to create your page layouts?  Or, better said, to empower your content editors to design great-looking pages on their own.  In order to help you make an informed decision, I've made an honest “Layout Builder modules vs Gutenberg editor module” comparison.  Therefore, in this post you'll find your answers to the following questions:    What issues with the editing experience in Drupal do these 2 new page layout builders come to address? What is the Gutenberg Editor? What are Drupal Gutenberg's main strengths? What are its limitations? What is the Layout Builder for Drupal? What are the Drupal Layout Builder's main strengths? What are its weaknesses? When would you use one Drupal page builder over the other?    1. Drupal Layout Builder vs Gutenberg: What Limitations Do They Address?  Or, to put it this way: what makes a good content editing experience?  Here are some of the editors' main requirements:    to be easy to use (with an intuitive drag and drop interface) to enable them to create custom page layouts on the fly, with zero CSS or HTML knowledge to be ideally flexible, enabling them to adjust the pages to their needs    Now, if we put editors' requirements against the "reality" of the editing experience in Drupal, here are the limitations we can identify:    it doesn't provide a decent level of visual design it compromises branding for flexibility or the other way around it requires some HTML experience it doesn't go beyond the level of a basic WYSIWYG editor it doesn't allow them to design fully customed page layouts it doesn't provide a 100% intuitive user interface it still makes editors dependant on the site builders/Drupal developers in their teams And these are precisely the problems that these 2 Drupal page builders "promise" to solve.    2. Introducing: The Gutenberg Drupal 8 Module   "Ever since the “Gutenberg” editor was released for WordPress and gained popularity we’ve seen a surge of “Easy to use” drag and drop interfaces for various CMSes."  (source: codekoalas.com) The Gutenberg Editor module is no more than WordPress's layout system integrated with Drupal.  What sets it apart from the other tools for creating page layouts in Drupal?  Its block-based approach.  Creating content in Drupal becomes a matter of selecting and assembling multiple blocks.  Each block stands for an individual piece of content: a separate block for a button, another separate block for an image, another one for a column, for a heading...  Furthermore, you get to create content inline. To edit the media content, text, and blocks on the page that you're building.  In short, you can take the Drupal Gutenberg module as a convenient "block editor".  You (or your editors) can put together and visualize your page layout in one large form field. That, instead of editing every single form field that makes up a page.    3. 4 Reasons to Choose Drupal Gutenberg  Let's say that you're looking for a site building tool to build a... landing page (or one that would empower your content editors to create it).  Why would you go with the Gutenberg content editor for Drupal 8?  Here are 4 good reasons to choose it:    it provides you with lots of predesigned elements out of the box you can see what you're building on the editor side it doesn't require you to be experienced in working with CSS or HTML you can design your own blocks or use blocks created by other open-source developers    4. 6 Reasons Why You Might Hesitate to Choose Gutenberg  Any honest Drupal Layout Builder vs Gutenberg comparison must include the 2 tools' main weaknesses, as well, right?  So, here's why you may want to think twice before choosing the Gutenberg content editor in Drupal 8:    the way it stores data could be... better it doesn't excel when it comes to layout flexibility: you can align your blocks left, right, center, but you can't add custom margins, for instance the style options that it provides are quite limited, one of the main drawbacks highlighted in any Gutenberg vs page builder comparison updating a page created with Gutenberg is particularly overwhelming the visual editing experience is not one of the best ones: visualizing your layout is a bit more difficult you cannot reuse your Gutenberg blocks and the page layouts that you create with this editor    Tip: when it comes to the poor visual experience that you get with the Gutenberg Editor, you can always improve it with page builder plugins. There are some pretty good ones out there that guarantee you a 100% visual design.   5. Introducing: The Drupal Layout Builder Module (Core) "Drupal 8's Layout Builder allows content editors and site builders to easily and quickly create visual layouts for displaying content. Users can customize how content is arranged on a single page, or across types of content, or even create custom landing pages with an easy to use drag-and-drop interface." (source: Drupal.org) The Layout Builder for Drupal enables you to create layouts by putting together separate form fields and block entities. No coding know-how needed.  No need to tweak the templates in the theme's source code.  In short, it "spoils" you with a drag-and-drop type of visual editing experience. You can put together structured content quick and easy.  Source: Drupal.org "But how exactly does it work?"  Here's how you create a custom layout with this Drupal page builder in 5 quick steps:  enable the module go over to the "Manage Display" tab of your target content type click the "Use Layout Builder" checkbox click the "Manage Layout" button then, you're free to use your Layouts and Blocks (after you've created them), dropping them in the defined regions of the page that you're building    6. 7 Reasons to Choose the Layout Builder in Drupal 8  Here's a legitimate question that this Gutenberg Editor vs Layout Builder in Drupal 8 comparison should respond to:  “Why would I want to use Drupal Layout Builder?”  The best answers would be:    you can create your content blocks and just drop them on the regions of your page layout you get to (re)arrange otherwise static fields the way you want to you're free to add views, blocks, widgets, to any section of your page the content that you create is specific to that page type, so all the pages of that type will have the same layout you get to override the default layout to create fully customed pages your layout is rendered on the web page in real-time you're free to incorporate blocks in the main content region 7. 5 Reasons Why You Might Hesitate to Choose the Layout Builder  When comparing Drupal Layout Builder vs Gutenberg, you inevitably get to the point where you ask yourself:  "What are the Layout Builder's main weaknesses?"  Now, here's why you wouldn't want to jump on it right away:    you can use it only on the main content area of your page unlike the Gutenberg Drupal 8 module, the Layout Builder doesn't ship with prebuilt elements for you to just choose from and assemble with Drupal Layout Builder, you need to create your blocks and page type first; you can't "get away with" choosing user-contributed blocks it's not always easy to see what precisely gets overridden you can't rely on a granular permissions system for overriding individual pages    8. When to Use Drupal Gutenberg: 4 Typical Use Cases  You'd want to use the Gutenberg Drupal 8 module if:    your Drupal website's a content-packed one you need to build a landing page you need to create a simple layout: Gutenberg doesn't really shine when it comes to style options you need to create content that fits perfectly into your theme's looks: Drupal Gutenberg pulls right from your theme's styles    To sum up, designing landing pages are Gutenberg's most typical use case.  Use it to add just some extra design (nothing too "extravagant") to an "About Me" page, for instance.   9. When to Use the Drupal Layout Builder: 2 Typical Use Cases  You'd want to use the Layout Builder for Drupal if:    it's a field-intensive page that you're building: a product page, a case study, etc. you have synced content on that page (from Salesforce, for instance)   The END!  Your turn now: have you tried any of these Drupal page builders?  Which one best serves your content goals?  What other pros and cons would you have added to this Drupal Layout Builder vs Gutenberg comparison?  Let us know in the comments below. Photo by Jason Dent on Unsplash  ... Read more
Silviu Serdaru / Mar 25'2020