OPTASY: Drupal Web Development Agency Toronto
(416) 243-2431Drupal SupportRequest A QuoteQuote

Main navigation

  • Home
  • Services
    • Digital Strategy
    • Design
    • Web Development
      • Drupal
      • WordPress
      • Magento
      • Laravel
      • Shopify
      • Sharepoint
      • Contentful
      • Gatsby
      • Next.js
      • Node.js
      • React
      • AngularJS
    • Mobile & App
      • IOS
      • Android
      • Augmented Reality
      • Artificial Intelligence
      • Virtual Reality
    • Maintenance & Support
      • Drupal Maintenance
      • Wordpress Maintenance
    • Staff Augmentation
  • Portfolio
    • Web
    • Mobile
    • Ar
  • About
    • Who we are
    • Values
    • Events
    • Awards
    • News
    • Careers
    • Partners
      • Acquia
      • Google
      • Pantheon
      • Shopify
      • Wordpress
  • Blog
    • Drupal
    • Drupal 8
    • HTML
    • CSS
    • Javascript
    • PHP
    • Microsoft
    • Web Design
    • Design
    • Tips
    • News
  • Contact
(416) 243-2431 Drupal Support Request A QuoteQuote

In light of the recent COVID-19 pandemic - OPTASY would like to offer DRUPAL website support for any Healthcare, Government, Education and Non-Profit Organization(s) with critical crisis communication websites or organizations directly providing relief. Stay Safe and Stay Well.

10 Ways Drupal 8 Will Be More Secure
Drupal 8

10 Ways Drupal 8 Will Be More Secure

by Adrian Ababei on Oct 23 2015

Security is very hard to bolt on to any software or product after it has been built. Building it into the core of the code helps to avoid mistakes, and thus the upcoming release of Drupal 8 tries to build in more security by default, while still being usable for developers and site builders. This list of 10 security improvements is not exhaustive - some are just a line or two to handle an edge case, and there are others I may have overlooked. I've contributed to a number of these improvements, but they reflect overall the community consensus as well as reactions to problems that required security releases for Drupal core or contributed modules in the past. For each point I've tried to include a link or two, such as the Drupal core change record, a documentation page, or a presentation that provides more information. Some of these may also be possible to back-port to Drupal 7, to benefit you even sooner. A "7.x back-port" link indicates that. For context on why these 10 improvements are important, I looked at past security advisories (SAs) as well as considering the kind of questions we get here at Acquia from companies considering adopting Drupal. In terms of past SAs, cross-site scripting (XSS) is the most commonly found vulnerability in Drupal core and contributed modules and themes.

1. Twig templates used for html generation

This is probably first on the list of anyone you ask about Drupal 8 security. This is also one of the most popular features with themers.

 One security gain from this is that it enforces much stricter separation of business logic and presentation – this makes it easier to validate 3rd party themes or delegate pure presentation work. You can't run SQL queries or access the Drupal API from Twig. 


 

In addition, Drupal 8 enables Twig auto-escaping, which means that any string that has not specifically flagged as safe will be escaped using the PHP function htmlspecialchars() (e.g. the same as Drupal 7 check_plain()). Auto-escaping of variables will prevent many XSS vulnerabilities that are accidentally introduced in custom site themes and custom and contributed modules. That fact is why I ranked this as number one. XSS is the most frequent security vulnerability found in Drupal code. We don't have a lot of hard data, but based on past site audits we generally assume that 90% of site-specific vulnerabilities are in the custom theme.


2. Removed PHP input filter and the use of PHP as a configuration import format

OK, maybe this should have been number one. Drupal 8 does not include the PHP input format in core. In addition to encouraging best practices (managing code in a revision control system like git), this means that Drupal no longer makes it trivial to escalate an administrator login to being able to execute arbitrary PHP code or shell commands on the server. 
 For Drupal 7, importing something like a View required importing executable PHP code, and for certain custom block visibility settings, etc. you would need to enter a PHP snippet. These uses of evaluated PHP (exposing possible code execution vulnerabilities) are all gone – see the next point about configuration management.
 Now that we have covered the top two, the rest of the 10 are in rather arbitrary order.

3. Site configuration exportable, manageable as code, and versionable

The Configuration Management Initiative (CMI) transformed how Drupal 8 manages things that would have been represented in Drupal 7 as PHP code. Things like Drupal variables or ctools exportables (e.g. exported Views).

 CMI uses YAML as the export and import format and the YAML files can be managed together with your code and checked into a revision control system (like git). 
 Why is this a security enhancement? Well, in addition to removing the use of PHP code as an import format (and hence possible code execution vulnerability), tracking configuration in code makes it much easier to have an auditable history of configuration changes. This will make Drupal more appealing and suitable for enterprises that need strict controls on configuration changes in place. In addition, configuration can be fully tested in development and then exactly replicated to production at the same time as any corresponding code changes (avoiding mistakes during manual configuration).
 Finally, it is possible to completely block configuration changes in production to force deployment of changes as code.


4. User content entry and filtering improved

While the integration of a WYSIWYG editor with Drupal core is a big usability improvement, extra care was taken that to mitigate poor practices that adding a WYSIWYG editor encouraged in past Drupal versions. In particular, users with access to the editor were often granted access to the full html text format, which effectively allowed them to execute XSS attacks on any other site user.

 To encourage the best practice of only allowing the use of the filtered HTML format, the Drupal 8 WYSIWYG editor configuration is integrated with the corresponding text filter. When a button is added to the active configuration, the corresponding HTML tag is added to the allowed list for the text filter.
 Drag a new button from the available to enabled section in the editor configuration: WYSIWYG editor configuration adding underline button The corresponding HTML tag (the U tag) is added to the allowed list: U tag is allowed in the filter An additional security improvement is that the core text filtering supports limiting users to using only images local to the site which helps prevent cross-site request forgery (CSRF) and other attacks or abuses using images.

5. Hardened user session and session ID handling

There are three distinct improvements to session and session cookie handling. First, the security of session IDs has been greatly improved against exposure via database backups or SQL injection (7.x back-port ). Previously in Drupal, the session ID is stored and checked directly against the incoming session cookie from the browser. The risk from this is that the value from the database can be used to populate the cookie in the browser and thus assume the session and identity of any user who has a valid session in the database. In Drupal 8, the ID is hashed before storage, which prevents the database value from being used to assume a user's session, but the incoming value from the value is simply hashed in order to verify the value.
 Next, mixed-mode SSL session support was added to core to support sites that, for example, used contributed modules to serve the login page over SSL while other pages unencrypted. You will have to replace the session handling service if you really need this. This encourages serving your entire site over SSL (which is also a search engine ranking boost).

 The final change is that the leading “www.” is no longer stripped from the session cookie domain since that causes the session cookie to be sent to all subdomains (7.x back-port).

6. Automated CSRF token protection in route definitions

Links (GET requests) that cause some destructive action or configuration change need to be protected from CSRF, usually with a user-specific token in the query string that is checked before carrying out the action. 

This change improves the developer experience and security by automating a process frequently forgotten or done incorrectly in contributed modules. In addition, centralizing the code makes it easier to audit and provide test coverage. Drupal 8 makes it easy. A developer merely needs to specify that a route (a system path in Drupal 7 terms) require a CSRF token. Here is an example of the YAML route definition for a protected link in Drupal 8 entity. entity.shortcut.link_delete_inline: path: '/admin/config/user-interface/shortcut/link/{shortcut}/delete-inline' defaults: _controller: 'Drupal\shortcut\Controller\ShortcutController::deleteShortcutLinkInline' requirements: _entity_access: 'shortcut.delete' _csrf_token: 'TRUE' Only the one line in the requirements: section needs to be added to protect shortcut deletion from CSRF.

7. Trusted host patterns enforced for requests

Many Drupal sites will respond to a page request using an arbitrary host header sent to the correct IP address. This can lead to cache poisoning, bogus site emails, bogus password recovery links, and other problems with security implications. For earlier versions of Drupal, it can be a challenge to correctly configure the webserver for a single site that uses sites/default as its site directory to prevent these host header spoofing attacks. Drupal 8 ships with a simple facility to configure expected host patterns in settings.php and warns you in the site status report if it's not configured.

8. PDO MySQL limited to executing single statements

If available, Drupal 8 will set a flag that limits PHP to sending only a single SQL statement at a time when using MySQL. This change would have reduced the severity of SA-CORE-2014-005 (a SQL injection vulnerability that was easily exploited by anonymous users) (7.x back-port)
. Getting this change into Drupal 8 meant I first had to contribute a small upstream change to the PHP language itself, and to the PDO MySQL library that is available in PHP versions 5.5.21 or 5.6.5 and greater. There is also a patch in progress to try to enforce this protection regardless of which specific database driver is being used.

9. Clickjacking protection enabled by default

A small change, but Drupal 8 sends the X-Frame-Options: SAMEORIGIN header in all responses by default. This header is respected by most browsers and prevents the site from being served inside an iframe on another domain. This blocks so-called click-jacking attacks (e.g. forms or links on the site being presented in a disguised fashion on an attacker's site inside an iframe), as well as blocking the unauthorized re-use of site content via iframes. (7.x back-port).

10. Core JavaScript API Compatible with CSP

Support for inline JavaScript was removed from the #attached property in the Drupal render API. In addition, the Drupal javascript settings variables are now added to the page as JSON data and loaded into a variable instead of being rendered as inline JavaScript. This was the last use of inline JavaScript by Drupal 8 core, and means that site builders can much more easily enable a strict content security policy (CSP) – a new web standard for communicating per-site restrictions to browsers and mitigating XSS and other vulnerabilities. A final note of caution: The substantial code reorganization and refactoring in Drupal 8 as well as the dependence on third party PHP components does present a certain added risk. The code reorganization may have introduced bugs that were missed by the existing core tests. The third party components themselves may have security vulnerabilities that affect Drupal, and at the very least, we need to track and stay up to date with them and fix our integration for any corresponding API changes. In order to try to mitigate the risk, the Drupal Association has been conducting the first Drupal security bug bounty that has been run for any version of Drupal core. This has uncovered several security bugs and means they will be fixed before Drupal 8 is released.

- Source: https://goo.gl/i2CCxj

Share the article

Development

We do Web development

Go to our Web development page!

Visit page!

Do you want a website

or app developed?

 

Get a Free Quote

and let's make it work!

Get a Quote

Recommended Stories

DrupalDrupal 8Tips
How Can Web Accessibility Grow Your Website

How Can Web Accessibility Grow Your Website

  Accessibility for disabled individuals is extremely important because they use multiple assistive technologies that often require accessible websites and mobile applications to function properly. Web accessibility is not just for people with physical limitations; it has real business value too! Read on to learn seven important benefits of creating an accessible site for your business. According to a survey of around 500 U. S. business executives and developers, most of them admit that making websites accessible requires too much time and financial investment. We're here to let you know that creating an accessible website isn't hard at all, will greatly improve the user interface, and will most likely prevent you from facing any legal issues. Laws regarding web accessibility  In the United States, laws are being updated to make sure that websites are accessible to everyone. The Americans With Disabilities Act (ADA) was first passed in 1990 and has been amended several times since then. The ADA applies to public accommodations, including businesses, educational institutions, government agencies, libraries, museums, and other organizations that provide goods or services to the general public. It also covers places of entertainment such as movie theaters, restaurants, hotels, amusement parks, sports stadiums, and concert venues. As of 2020, there are no federal regulations requiring websites to be accessible to users with disabilities. However, some states have their own laws that apply to websites. For example, California's Business & Professions Code Section 5412(a) says: "All persons shall have equal opportunity to obtain employment, housing, and commercial transactions without discrimination or segregation based on disability." This means that if you operate a business in California, you must ensure that your website is accessible to people who use assistive technology. If you don't comply with this law, you could face fines up to $2,500 per violation. 7 Benefits of Making Your Website Accessible Improved conversion rates. It's true that accessibility only helps the visitor but if you improve the user experience and make it accessible for everyone, you're planting the seeds for:   More visitors means more sales. Better user engagement Improving SEO ranking Higher conversion rate   Legal complications are less likely when you invest in web accessibility. With increasing legal requirements surrounding web accessibility becoming stricter, making your website accessible has become an absolute necessity unless you want to be fined. Be aware of the various web accessibility requirements and ensure that your website complies with them. Bigger customer base. Accessibility means addressing the needs of larger audiences, which may lead to you attracting more people who are likely to interact with your business on a long-lasting basis. Invest in accessibility so you can attract more people who are likely to interact with your business on a longer-lasting basis. An innovative business mindset: an entrepreneurial one By building accessible websites, you challenge yourself to deal with unforeseen issues and so put your creative juices into action. Adaptability means that you need to be able to adapt your designs by incorporating accessibility tools into them. To stay competitive in today’s fast-paced digital world, you need to be innovative and always ready for change. Boosted SEO efforts. You can improve your website's accessibility by including alternative text for any image tags, making sure that your content is easy to read, or choosing a clean and clutter-free design. These steps also mean good SEO practice. By creating an easier-to-navigate website, you're also helping it become more SEO-friendly. You may be familiar with the importance of investing in strong SEO strategies in modern times. It's all about whether your site ranks at the top of search results and how visible your site appears on Google. Improved brand reputation. It’s important to ensure accessibility for your business because it promotes your brand image. Ensuring your web site has a universal interface makes sure everyone who visits your site gets equal access to your content and raises awareness for your company. Today, having an inaccessible website is the digital version of putting up a big "Keep Out" notice outside of your business. Fast page loading times. If you improve a page's accessibility, you'll increase its performance score. To meet the demands of modern web users, you need to improve your site's load time. By implementing features that are accessible to people who use assistive technology, you're making your website a better place for everyone. You can use several different methods to improve the accessibility of your website. For example, if you're designing a web page for blind users, they might be able to use a text-to-speech program to read out loud any important information on your site. Hopefully, this post helps shed some insight into the importance of web accessibil­ity for your business and how making your website more accessible can positively affect your brand. If you'd like to learn more about how we can improve the usability of your website, please contact us today.   Photo credit: Unsplash. ... Read more
Raluca Olariu / Sep 08'2022
DrupalDrupal 8Tips
Why Do You Need Drupal Website Maintenance?

Why Do You Need Drupal Website Maintenance?

  If you're new to Drupal web development and maintenance, it may seem like an overwhelming task. However, once you get started, things start to run smoothly. Building and optimizing a website is similar to buying a new house—you start out by making sure everything works fine, then you fix any issues that come up, and finally, you keep an eye on it, so nothing breaks down. The perfect time to clean up your website doesn't exist, so you might want to start as soon as you feel like it should be done—improve its performance, optimize it for search engines, and refresh it. If you do it yourself, you might even be able to increase your potential market value by 50%. First, it's important to understand why regular maintenance is crucial, how to tell if you need Drupal maintenance, what Drupal maintenance includes, and what happens during Drupal Maintenance. Read this article to find out more about why you need regular Drupal maintenance.  Does regular maintenance help keep your site running smoothly? Yes, regular maintenance can help with plenty of aspects of your web strategy. Security Website maintenance used to be an option. It wasn't something that had to be done every month or even every week. You could just let it sit there and not touch it at all for months at a time. As the digital landscape continues to expand and become more vulnerable to cyberattacks, Drupal support is essential for maintaining a secure security posture. While Drupal is known for its high level of security, this only applies if you keep up with the latest security updates and patches. If you don't stay current on the latest security updates and modules, then you're putting yourself at risk for a breach. Updating Drupal core modules regularly helps protect websites from attacks and security breaches. Fixing errors If you want your site to perform well and meet the needs of the modern digital user, then it’s important to fix any bugs and errors. These malfunctions may occur due to rushed coding and deployment, inadequate testing, or miscommunications. They may affect your website's performance and loading speed or even alter its functionality. Because users don't want to wait more than four seconds for websites to load, they won't pay attention to fixing bugs if they're not there. Stay up-to-date by adding new features to your site One reason why Drupal maintenance matters so much are because it allows you to scale your site as your business grows. With Drupal 8, integrations are much cheaper than they were before, so if you haven’t upgraded yet, you may want to talk to a Drupal agency to help determine whether an upgrade is the best option for your business. User behavior has changed drastically in the past year, so content creation, new features, and improvements allow brands to remain fresh and aligned to this changing environment. SEO optimization It’s important to maintain good SEO practices so that your site stays relevant. A great Drupal maintenance team includes SEO experts who perform Drupal SEO audits and optimizations. “Good SEO only gets better over time; it’s only search engine tricks that need to be constantly updated when the algorithm changes.” -Jill Whalen. To know when you need Drupal maintenance, ask yourself these questions: Do you get error messages? If you aren't already convinced that you need Drupal Support and Maintenance Services for your website, here's an indicator that you can't delay it anymore without hurting your business: You have been getting error messages like "404 Not Found" or "500 Internal Server Error". These errors mean that your site isn't functioning properly. Your site might be down or slow to load. Your visitors will leave your site immediately if they see these errors. The solution is simple: hire a professional Drupal developer to do the job for you. We at Optasy have a team of expert developers who specialize in Drupal development. Our team of dedicated professionals will ensure that your site is always working smoothly. Check this page for more details. Photo credit: Unsplash. ... Read more
Raluca Olariu / Aug 09'2022
DrupalDrupal 8Tips
How to Migrate to Drupal 9

How to Migrate to Drupal 9

  Drupal is a free open-source content management system (CMS) that allows you to create websites, blogs, and other web applications. It has become one of the most popular platforms for building custom sites. The process of migrating from Drupal 8 to Drupal 9 is no small task. There are several changes and new features that you’ll want to consider before moving forward. In this article, you'll discover some of the major changes that you’ll encounter when migrating from Drupal 8 to Drupal 9. As you migrate to Drupal 9, you’ll notice a significant change in the way things look and function. The biggest difference between Drupal 8 and Drupal 9 is the introduction of a completely redesigned user interface. This means that you'll need to rework your entire site from scratch. What Does a Drupal Migration Mean? A Drupal migration process involves taking an existing Drupal website or blog and converting it into a Drupal 9 installation. You can also perform a complete Drupal 9 install by starting with a blank slate. When you migrate to Drupal 9 from Drupal 8, you need to update your Drupal 8 website to the latest version of both core and contributed modules and themes. If you have any custom code, such as custom content types, views, and fields, you will need to convert them to Drupal 9 compatible versions. You may also need to upgrade your database schema to support Drupal 9's new data model. And finally, you should make sure that all your files are converted to Drupal 9 standards. What Is Drupal 9? Drupal 9 is the same as the Drupal 8.9 version but without the deprecated code available in the previous version. It's identical to the 8.9 version for editors, website builders, and developers and it is built with an API-first approach in mind. Drupal 9 improves structural tools and editorial workflows.  Key Drupal 9 benefits Drupal 9 brings forward a continuous innovation cycle that delivers all the best features of Drupal 8, plus updated system requirements that improve security support.  Drupal 9 provides feature additions twice a year, so you'll be up-to-date with the latest technology innovations. What is more, your developer team will most likely work very easily with Drupal 9, as the Drupal 8 experience is quite similar. Prepare your upgrade process and get a cleaned-up, consistent, API-based modern environment.  You might also like: Drupal 10 New Features and How to Prepare Your Migration. Migrating to Drupal 9: What do I need to know? Before you begin your Drupal 9 migration, there are three key areas where you'll need to take action: Update Your Site Core In order to successfully migrate to Drupal 9, your site must be updated to the latest version of Drupal 8 core. To ensure that your site works properly after the migration, you should use the same version of the core that you used during development. Upgrade Modules and Plugins When you migrate to Drupal 9 you'll need to upgrade all your modules and plugins to their respective Drupal 9 versions. For example, if you're using Views 7.x-3.0 then you'll need to upgrade to Views 8.x-2.1. Similarly, if you're using CCK 3.x-7.x then you'll need to move to CCK 4.x-4.6. Convert Custom Code If you've developed custom content types, views, or fields, you'll need to convert these items to Drupal 9 compatible versions so they work properly on your new site. How does a Drupal migration affect your brand reputation and business value? Upgrading to Drupal 9 comes with benefits like all system and software upgrades. To understand the business value added by such a migration, consider asking the following questions: Are your current features and modules secure and relevant for your business scope? How would you rate them? Do you clearly know the scope of a Drupal migration for you? How many resources like time and money do you plan to spend on this migration? Does your developer team have the necessary skill set to plan and complete it successfully?  How will your Drupal migration impact the content design and architecture on your site? Tools & Modules For Completing Your Drupal Migration Now that you've asked the right question, you might be ready to start your migration. If so, here are some tools and modules to help you in this process:  Core Migrate Module Suite: migrate your content and site configuration   Upgrade Rector: automate module updates for Drupal 8 sites of common deprecated code to the latest Drupal 9 compatible code Drupal Module Upgrader: scan and convert outdated code on your site Upgrade Status Module: provide information about contributed project availability 4 Steps to Prepare Your Drupal 8 site for Migrating to Drupal 9     Check out this to-do list before starting your migration to Drupal 9: 1. Check that your hosting environment meets the compatibility requirements of Drupal 9. 2. Update your contributed projects so that you resolve Drupal 9 compatibility issues gradually, keeping Drupal 8 compatibility at the same time.  3. Make sure to upgrade to the latest Drupal 8 version available (Drupal 8.8 and 8.9). 4. Edit your custom code by removing deprecated API use.   The transition from one version to another can be challenging, but the migration process is simple once you learn how it's done. If you find it overwhelming and want to opt for professional services, check out Optasy's services.  Our dedicated team of Drupal experts will support you in every step of your migration process and ensure that your website is up and running smoothly after the migration. Optasy offers assistance and custom migration to suit the specific needs of each business.   Photo credit: Unsplash.... Read more
Raluca Olariu / Jul 07'2022

Browse cities

×

Toronto

WordPress Development Services in Toronto
iOS App Development Services in Toronto
Drupal Development Services in Toronto
Magento Development Services in Toronto
Laravel Development Services in Toronto

Montreal

WordPress Development Services in Montreal
iOS App Development Services in Montreal
Laravel Development Services in Montreal
Drupal Development Services in Montreal
Magento Development Services in Montreal

Vancouver

Magento Development Services in Vancouver
iOS App Development Services in Vancouver
Drupal Development Services in Vancouver
WordPress Development Services in Vancouver
Laravel Development Services in Vancouver

New York

WordPress Development Services in New York
Laravel Development Services in New York
iOS App Development Services in New York
Drupal Development Services in New York
Magento Development Services in New York

Need a new Project?

Dare us to shape and boost your idea(s)!

Start a Project

(416) 243-2431

Contact

(416) 243-2431

contact@optasy.com

Toronto Downtown

First Canadian Place,
100 King St. W. Suite 5700, Toronto

Toronto West

2275 Upper Middle
Rd. E, Suite 101
Toronto

New York

1177 Avenue of the
Americas, 5th Floor,
New York

Newsletter

Get the latest OPTASY news, tips and how-to’s on the go, right in your inbox!
OPTASY
clutch
Pantheon Premier Partner
  • Drupal 8
  • Services
  • Contact Us
  • Partners

  • Drupal
  • Google
  • Magento
  • Shopify
  • Wordpress
Facebook
Twitter
LinkedIn
Drupal
  • Cities
  • Support

© 2023 All Rights Reserved. Built with Drupal