security_layer

Security for Drupal is a site recipe that applies a full set of security best practices to new or existing Drupal installations. It automates the installation and configuration of essential modules to help secure your site from the start.

This recipe is ideal for developers, site builders, and administrators who want to ensure compliance with modern security standards — without having to manually configure every module.

Features included:

• Strong password policies: Enforced complexity, expiration, reuse prevention.
• Brute-force protection: Login attempt throttling and flood logging.
• CAPTCHA: For login/registration/recovery forms.
• Two-Factor Authentication (2FA): With TOTP and recovery codes.
• Session timeout management: Idle and maximum session time limits.
• Data encryption: Using AES-256 via the Key and Encrypt modules.
• Secure HTTP headers: HSTS, CSP, XSS protection, frame restrictions.
• Remove HTTP headers: Removes configured HTTP headers from the response
• Performance defaults: CSS/JS aggregation and browser cache settings.
   

Security for Drupal is Composer-friendly and compatible with Drupal 11. Designed to promote secure-by-default Drupal deployments in professional environments.