In light of the recent COVID-19 pandemic - OPTASY would like to offer DRUPAL website support for any Healthcare, Government, Education and Non-Profit Organization(s) with critical crisis communication websites or organizations directly providing relief. Stay Safe and Stay Well.

10 Ways Drupal 8 Will Be More Secure

10 Ways Drupal 8 Will Be More Secure

by Adrian Ababei on Oct 23 2015

Security is very hard to bolt on to any software or product after it has been built. Building it into the core of the code helps to avoid mistakes, and thus the upcoming release of Drupal 8 tries to build in more security by default, while still being usable for developers and site builders. This list of 10 security improvements is not exhaustive - some are just a line or two to handle an edge case, and there are others I may have overlooked. I've contributed to a number of these improvements, but they reflect overall the community consensus as well as reactions to problems that required security releases for Drupal core or contributed modules in the past. For each point I've tried to include a link or two, such as the Drupal core change record, a documentation page, or a presentation that provides more information. Some of these may also be possible to back-port to Drupal 7, to benefit you even sooner. A "7.x back-port" link indicates that. For context on why these 10 improvements are important, I looked at past security advisories (SAs) as well as considering the kind of questions we get here at Acquia from companies considering adopting Drupal. In terms of past SAs, cross-site scripting (XSS) is the most commonly found vulnerability in Drupal core and contributed modules and themes.

1. Twig templates used for html generation

This is probably first on the list of anyone you ask about Drupal 8 security. This is also one of the most popular features with themers.

 One security gain from this is that it enforces much stricter separation of business logic and presentation – this makes it easier to validate 3rd party themes or delegate pure presentation work. You can't run SQL queries or access the Drupal API from Twig. 


 

In addition, Drupal 8 enables Twig auto-escaping, which means that any string that has not specifically flagged as safe will be escaped using the PHP function htmlspecialchars() (e.g. the same as Drupal 7 check_plain()). Auto-escaping of variables will prevent many XSS vulnerabilities that are accidentally introduced in custom site themes and custom and contributed modules. That fact is why I ranked this as number one. XSS is the most frequent security vulnerability found in Drupal code. We don't have a lot of hard data, but based on past site audits we generally assume that 90% of site-specific vulnerabilities are in the custom theme.


2. Removed PHP input filter and the use of PHP as a configuration import format

OK, maybe this should have been number one. Drupal 8 does not include the PHP input format in core. In addition to encouraging best practices (managing code in a revision control system like git), this means that Drupal no longer makes it trivial to escalate an administrator login to being able to execute arbitrary PHP code or shell commands on the server. 
 For Drupal 7, importing something like a View required importing executable PHP code, and for certain custom block visibility settings, etc. you would need to enter a PHP snippet. These uses of evaluated PHP (exposing possible code execution vulnerabilities) are all gone – see the next point about configuration management.
 Now that we have covered the top two, the rest of the 10 are in rather arbitrary order.

3. Site configuration exportable, manageable as code, and versionable

The Configuration Management Initiative (CMI) transformed how Drupal 8 manages things that would have been represented in Drupal 7 as PHP code. Things like Drupal variables or ctools exportables (e.g. exported Views).

 CMI uses YAML as the export and import format and the YAML files can be managed together with your code and checked into a revision control system (like git). 
 Why is this a security enhancement? Well, in addition to removing the use of PHP code as an import format (and hence possible code execution vulnerability), tracking configuration in code makes it much easier to have an auditable history of configuration changes. This will make Drupal more appealing and suitable for enterprises that need strict controls on configuration changes in place. In addition, configuration can be fully tested in development and then exactly replicated to production at the same time as any corresponding code changes (avoiding mistakes during manual configuration).
 Finally, it is possible to completely block configuration changes in production to force deployment of changes as code.


4. User content entry and filtering improved

While the integration of a WYSIWYG editor with Drupal core is a big usability improvement, extra care was taken that to mitigate poor practices that adding a WYSIWYG editor encouraged in past Drupal versions. In particular, users with access to the editor were often granted access to the full html text format, which effectively allowed them to execute XSS attacks on any other site user.

 To encourage the best practice of only allowing the use of the filtered HTML format, the Drupal 8 WYSIWYG editor configuration is integrated with the corresponding text filter. When a button is added to the active configuration, the corresponding HTML tag is added to the allowed list for the text filter.
 Drag a new button from the available to enabled section in the editor configuration: WYSIWYG editor configuration adding underline button The corresponding HTML tag (the U tag) is added to the allowed list: U tag is allowed in the filter An additional security improvement is that the core text filtering supports limiting users to using only images local to the site which helps prevent cross-site request forgery (CSRF) and other attacks or abuses using images.

5. Hardened user session and session ID handling

There are three distinct improvements to session and session cookie handling. First, the security of session IDs has been greatly improved against exposure via database backups or SQL injection (7.x back-port ). Previously in Drupal, the session ID is stored and checked directly against the incoming session cookie from the browser. The risk from this is that the value from the database can be used to populate the cookie in the browser and thus assume the session and identity of any user who has a valid session in the database. In Drupal 8, the ID is hashed before storage, which prevents the database value from being used to assume a user's session, but the incoming value from the value is simply hashed in order to verify the value.
 Next, mixed-mode SSL session support was added to core to support sites that, for example, used contributed modules to serve the login page over SSL while other pages unencrypted. You will have to replace the session handling service if you really need this. This encourages serving your entire site over SSL (which is also a search engine ranking boost).

 The final change is that the leading “www.” is no longer stripped from the session cookie domain since that causes the session cookie to be sent to all subdomains (7.x back-port).

6. Automated CSRF token protection in route definitions

Links (GET requests) that cause some destructive action or configuration change need to be protected from CSRF, usually with a user-specific token in the query string that is checked before carrying out the action. 

This change improves the developer experience and security by automating a process frequently forgotten or done incorrectly in contributed modules. In addition, centralizing the code makes it easier to audit and provide test coverage. Drupal 8 makes it easy. A developer merely needs to specify that a route (a system path in Drupal 7 terms) require a CSRF token. Here is an example of the YAML route definition for a protected link in Drupal 8 entity. entity.shortcut.link_delete_inline: path: '/admin/config/user-interface/shortcut/link/{shortcut}/delete-inline' defaults: _controller: 'Drupal\shortcut\Controller\ShortcutController::deleteShortcutLinkInline' requirements: _entity_access: 'shortcut.delete' _csrf_token: 'TRUE' Only the one line in the requirements: section needs to be added to protect shortcut deletion from CSRF.

7. Trusted host patterns enforced for requests

Many Drupal sites will respond to a page request using an arbitrary host header sent to the correct IP address. This can lead to cache poisoning, bogus site emails, bogus password recovery links, and other problems with security implications. For earlier versions of Drupal, it can be a challenge to correctly configure the webserver for a single site that uses sites/default as its site directory to prevent these host header spoofing attacks. Drupal 8 ships with a simple facility to configure expected host patterns in settings.php and warns you in the site status report if it's not configured.

8. PDO MySQL limited to executing single statements

If available, Drupal 8 will set a flag that limits PHP to sending only a single SQL statement at a time when using MySQL. This change would have reduced the severity of SA-CORE-2014-005 (a SQL injection vulnerability that was easily exploited by anonymous users) (7.x back-port)
. Getting this change into Drupal 8 meant I first had to contribute a small upstream change to the PHP language itself, and to the PDO MySQL library that is available in PHP versions 5.5.21 or 5.6.5 and greater. There is also a patch in progress to try to enforce this protection regardless of which specific database driver is being used.

9. Clickjacking protection enabled by default

A small change, but Drupal 8 sends the X-Frame-Options: SAMEORIGIN header in all responses by default. This header is respected by most browsers and prevents the site from being served inside an iframe on another domain. This blocks so-called click-jacking attacks (e.g. forms or links on the site being presented in a disguised fashion on an attacker's site inside an iframe), as well as blocking the unauthorized re-use of site content via iframes. (7.x back-port).

10. Core JavaScript API Compatible with CSP

Support for inline JavaScript was removed from the #attached property in the Drupal render API. In addition, the Drupal javascript settings variables are now added to the page as JSON data and loaded into a variable instead of being rendered as inline JavaScript. This was the last use of inline JavaScript by Drupal 8 core, and means that site builders can much more easily enable a strict content security policy (CSP) – a new web standard for communicating per-site restrictions to browsers and mitigating XSS and other vulnerabilities. A final note of caution: The substantial code reorganization and refactoring in Drupal 8 as well as the dependence on third party PHP components does present a certain added risk. The code reorganization may have introduced bugs that were missed by the existing core tests. The third party components themselves may have security vulnerabilities that affect Drupal, and at the very least, we need to track and stay up to date with them and fix our integration for any corresponding API changes. In order to try to mitigate the risk, the Drupal Association has been conducting the first Drupal security bug bounty that has been run for any version of Drupal core. This has uncovered several security bugs and means they will be fixed before Drupal 8 is released.

- Source: https://goo.gl/i2CCxj

Development

We do Web development

Go to our Web development page!

Visit page!

Recommended Stories

5 Steps to Migrate Your Drupal Website to Another Host
  At some point in their business journey, every website owner can encounter the need to migrate their web host. As more lucrative hosting options are making their way in the industry–VPS, shared, or dedicated hosting—it's no surprise that many website managers choose to perform host migration.  This article provides support in handling one of the most popular DevOps services, hosting server migration, by outlining five essential steps that help you complete a successful migration.   When is the time to move your Drupal website to a new hosting server? The decision to switch web hosts is not an easy one to take. The good news is that there are multiple signs that can make it clear that your website requires hosting updates if you know where to look. It won't be comfortable to acknowledge them, but as soon as you start on this journey, you are transforming your website for the better.  Let's have a look at how you can spot these signs on your Drupal website.  Downtime has become a recurrent issue.  Your customers demand availability and speed, so every time your website is down and unavailable for users, you risk building a bad reputation of unreliable and low-quality services. Your server can impact your site's availability if your hosting equipment’s quality is low or your host's security features and plugins provide poor protection capabilities, as cyber-attacks can often lead to downtime.  Your host is hard to reach. As a website owner, you want to ensure that the communication with your web host is fast and streamlined. There may be times when your server crashes or you a server error, and you need to get in touch with your host as soon as possible to provide troubleshooting guidance and get your site up and running.  An unreliable host may not only affect the functionality of your website but can also cost you customers. Getting the support you need when it comes to your hosting account is paramount to provide high-quality user experiences. That's why making sure that you have a solid customer service team at your side at any time is good for the business. Your current host costs you too much. Web hosting can sometimes be the most significant investment when running a website. It's a recurring expense, so you want to ensure that you choose the best option. However, expensive web hosts aren't always necessary. You have to figure out if the features and the amount of server space that your host provides are a good fit for your site. You don't need to break the bank for hosting servers that don't serve your current needs. You can always review your needs and upgrade to a more expensive plan. You don't get the security you need. As far as investments are concerned, paying extra for a secure web host is worth it. A host that takes security seriously will bring significant benefits to your website.  By investing in a secure hosting server, you'll avoid losing data and parts of your website, having user data compromised, and losing credibility in front of your audience.  When choosing your web host, watch out for features and plugins like Secure Sockets Layer certificates, malware scanning, or server firewalls.    How to switch to a new hosting provider Migrating your Drupal site to a new host is a process that involves contacting your current host, performing database backups, connecting to a new server, and uploading your files. It's not uncommon for issues like corrupted backups to appear during the migration process. Consider this when planning your migration, and think if you can save some resources by hiring a professional agency like Optasy to complete this process for you.  There are a few essential steps to follow when migrating to another web hosting server. Let's explore some of them.   1. Turn Drupal caching off. This is the first step to take in order to avoid potential disruptions. Go to your Drupal admin dashboard and: Click Configuration - Performance - Caching - Select "No Caching.” Uncheck "Aggregate CSS files" and "Aggregate JavaScript files" in "bandwidth optimization" and click "Clear all caches.”   2. Backup your Drupal files. Connect to your remote server - Enter the connection details - Hit "QuickConnect" and connect to the remote server that hosts your website.  In your main site's folder, download the content on your local device, and you've done backing up your Drupal files.   3. Export your Drupal database. Go to the phpMyAdmin on your server's control panel in the Database section.  Click "Check all" on your Drupal site database, then "Export method and the SQL.”   4. Migrate your Drupal database to the new host. Create a new MySQL database on your target server. Click "Import" at the top of your database, then "Choose File,” and press "Go.” You've now restored your site on the new hosting from the backup.   5. Turn on Drupal caching. Go to Configuration - Performance - Enable Drupal caching. Kudos to you! You've officially migrated your Drupal site to another host.    Conclusion Building and managing a Drupal website is a complex process, and hosting is one element that can be pretty challenging to handle. There are plenty of hosting options available on the market, and you might find it difficult to decide which one is the best fit for your website needs.  If you're considering server migration or just need some professional advice on how to handle your hosting server successfully, our team of Drupal experts at Optasy is glad to help.    Photo credit: bsdrouin on Pixabay.     ... Read more
Raluca Olariu / Apr 12'2021
Drupal Commerce vs. Magento - Who Wins the Battle for eCommerce?
  In 2021, it is expected that about 27.2% of the world population will shop online at least once.  A lot of potential customers out there, right? As eCommerce is becoming the new norm, digital businesses seek out ways to thrive in this competitive landscape and position themselves as leading trend-setters.  To do that, companies need to realize the power of digital transformation and how they can embrace it in order to support the modern demands of speed and accessibility that customers require today.  This starts with leveraging the right tools for building robust digital assets. One of these tools is represented by eCommerce platforms, which are getting increasingly popular for businesses that seek to deploy an eCommerce system.  Drupal Commerce and Magento are two of the leading eCommerce solutions on the market and are often seen as direct competitors in the industry.  This article provides a side-by-side comparison of these two platforms in regards to technical capabilities, development, costs, scalability, security, and mobile responsiveness. Hopefully, this information will help you narrow down your choice in order to ensure that you choose the best fit for your business needs.    Key eCommerce Capabilities Enabled by Drupal and Magento Drupal Commerce was released in 2011 and offers an open-source application framework that supports retailers in building and managing inventory, track orders, or handle payments.  Magento's initial release was in 2008. This PHP-based eCommerce site provides high levels of PayPal protocol integration and supports 12 worldwide payment gateways.  Both platforms offer, through native features or third-party add-ons, the following benefits: Intuitive, easy-to-use user interface and control panels. No technical knowledge is required to customize and edit basic features. Full-featured CMS that supports social sharing. Business-centric structure for online stores. Native integration of inventory-driven advertising material Integration capabilities with third-party analytics, invoicing, or quoting solutions One thing to keep in mind is that neither of these eCommerce platforms is a "plug and play" solution and making the most out of their potential may require further expertise.    Headless eCommerce The headless version of Drupal Commerce has been in the spotlight in the last few years. This new initiative is an eCommerce solution that stores and delivers content without a front-end delivery layer. It's an API-driven implementation that transforms eCommerce functionality, making it available across a wide range of potential host environments.  A headless eCommerce model inclines towards a more SaaS-oriented, platform-agnostic solution that allows for better employee adoption and considerable time savings across IT departments.  When it comes to Magento, the open-source eCommerce platform, headless eCommerce is equally prioritized. Both Drupal Commerce and Magento are supporting headless models as the future of eCommerce.    Pricing Drupal eCommerce's technical cost of entry is free. However, depending on scope and scale, the costs of developing and maintaining performant and secure eCommerce servers might reach tens of thousands of dollars.  Drupal Commerce project costs are directly proportional with a business needs for specific development architecture, module integrations, custom theme styling, or particular feature integrations.  Magento's newer modules are not offered as open-source and upgrading from Magento Open Source to Magento Commerce might be challenging.  From this financial point of view, Drupal Commerce seems to be a clear winner.    Scalability Drupal Commerce has relevant capabilities of staying highly performant at scale. However, this CMS platform does not provide out-of-the-box database sharding and it can only be implemented on a third-party basis.  Drupal Commerce has lower requirements than Magento Commerce when it comes to the web server—the minimum required RAM for PHP is 64 MB and production systems usually require 128 or 256 MB.  Drupal Commerce-based implementation splits the eCommerce experience across three related Drupal domains. As a result, scaling is better, bottlenecks are eliminated, and the content and purchasing experiences are efficiently separated.  On the other hand, Magento's cloud hosting solves a large number of scalability issues, although at a higher price. The minimum RAM requirement of 2 GB will probably not scale well and distributed networks or caching may need to be deployed with greater care to keep up with the heavy load.    Security Drupal is proven to be the most secure CMS and Magento's infection rate is much higher than Drupal's. From the point of view of security, Drupal Commerce is a winner for businesses that want to prioritize secure platforms.  Source: Sucuri.net   Mobile Responsiveness As most websites transition to a mobile-first approach, eCommerce platforms that prioritize mobile responsiveness are a must.  Fortunately, both Magento Commerce and Drupal Commerce provide robust mobile capabilities to satisfy the need for accessibility and performance.  Drupal Commerce's themes allow building a fully responsive design for eCommerce websites and offer screen flexibility for creating versatile experiences. The most popular themes like Corolla or eStore provide: Multi-level responsive header menus Custom layouts and color options Box shadow and background textures Custom field additions Magento Commerce is close to Drupal when it comes to mobile optimization capabilities. Its responsive web design features help users create optimal viewing experiences for multiple devices. Magento Blank or Luma are out-of-the-box themes that deliver a fully responsive design.   Who's the winner for eCommerce? While both Drupal Commerce and Magento Commerce are reliable options for a digital company that wants to thrive in the eCommerce market, every business has its own unique needs and requirements. Choosing the software that best supports these needs is a process that involves a lot of research and planning.  If you want to speed up this process and ensure that you reach the right decision, don't hesitate to contact Optasy for professional advice and support.  Discover which platform is most suited to provide a robust eCommerce experience for you and your customers.  Photo credit: Mark Konig on Unsplash.   ... Read more
Raluca Olariu / Apr 06'2021
Drupal DevOps Best Practices for 2021
  Today, businesses interact with their customers in many forms of digital services on all kinds of devices. As the digital world is more and more present in our lives, delivering streamlined experiences at the tip of your customers' fingers is the key to success.  A vital role in delivering rapid, accessible IT services is played by DevOps, a set of practices that brings software development and IT operations together. And when it comes to Drupal web development, DevOps represents a valuable instrument that can maximize the potential of Drupal-delivered projects.    How does DevOps work and what benefits does a DevOps model deliver? DevOps, the culture that encompasses most digital businesses today, uses automation and advanced tech stacks to add a new layer of velocity to a company's infrastructure. “DevOps represents a change in IT culture, focusing on rapid IT service delivery through the adoption of agile, lean practices in the context of a system-oriented approach. DevOps emphasizes people (and culture) and seeks to improve collaboration between operations and development teams. DevOps implementations utilize technology — especially automation tools that can leverage an increasingly programmable and dynamic infrastructure from a life cycle perspective”. - Gartner, Inc. Businesses that incorporate a DevOps model into their workflows see benefits like:   Scalability. Fundamental processes like infrastructure and development are operated at scale, which allows for a more efficient approach to developing, testing, and producing environments in a repeatable and streamlined way. Faster and more reliable delivery. The modern customer's need for speed is real, and DevOps can support organizations in their quest to speeding up feature releases, bug fixes, and other types of upgrades. Continuous integration and delivery are two critical practices that can automate the release process. High velocity. Adopting an efficient DevOps model allows professionals to build digital innovations faster and keep up with the trends imposed by ever-changing markets. Security. When adopting DevOps, you don't have to compromise on safety as DevOps models provide automated compliance policies and configuration management mechanisms.   DevOps best practices To make the most out of DevOps, there are some key practices to follow when implementing your model:   Leverage microservices architecture, which allows breaking down large systems into more specific, independent projects. As a result, developers and architects have more flexibility over managing these projects, and applications are more pliable and allow faster innovation. Install minor updates on a regular basis to solve issues and fix bugs quicker. The DevOps model aids companies in deploying updates more often and constantly optimizing their ongoing processes. Use continuous integration and continuous delivery to overcome operational challenges in complex development workflows.  Don't forget about infrastructure as a code, as automating your infrastructure provides better computing resources and higher responsiveness to possible alterations.    DevOps for Drupal development Implementing a DevOps model into your Drupal development workflow will not only accelerate your development cycle and delivery but will also contribute to better user experiences and business outcomes.  As more companies are adopting DevOps models (according to a recent report, 60% of businesses are using or are considering DevOps for their organization), it is expected that DevOps will gradually become even more essential for any digital business. With this growth will come better opportunities for building future-ready Drupal deployments and web experiences suited for the modern customer’s complex needs.    Wrapping Up DevOps continues to grow in new industries, opening possibilities for enhancing security, product monitoring, development, and cluster computing. As it will become the new norm, DevOps will continue to integrate more departments, improve solutions and designs.  As we've seen, DevOps models can also support a Drupal development team that focuses on improving project timelines and delivery. Optasy is the right partner for fostering digital innovation and can help you create customized Drupal digital experiences.  What do you need support with?  Photo credit: PCB-Tech on Pixabay.   ... Read more
Raluca Olariu / Apr 02'2021