security_profile

A quick setup has been implemented to enhance the security of a generic Drupal project, configurable with variables in a post-installation script. With the aim of streamlining the configuration, installation, and security times of each project.

The OWASP Top 10 was used as a reference framework to ensure it passes 90% of audits. Keep in mind that if any element is overly restrictive, you can relax it at your own risk.

Included Modules

• Authentication & Access Control: Enforces strong password policies, multi-factor authentication, and session timeouts.
  • Password Policy (Length, character types, history)
  • TFA (Two-Factor Authentication)
  • Autologout
• Brute Force & Bot Protection: Mitigates automated attacks and unauthorized login attempts.
  • Login Security
  • Flood Control
  • Advban (Advanced Ban)
  • reCAPTCHA
• Data Exposure Prevention: Hardens HTTP headers and protects user data.
  • Seckit (Security Kit)
  • Username Enumeration Prevention
• Cryptography & Key Management: Infrastructure for encrypting sensitive data.
  • Key
  • Encrypt
  • Real AES
• Audit & Logging: Comprehensive tracking for post-incident forensics.
  • Event Log Track (Tracks auth, nodes, config, files, menus, users, etc.)
  • Syslog (Core)

Site-Building Tools

While not strictly security-related, the profile includes essential administration tools to ease site management:

• Admin Toolbar (along with Tools and Search submodules)
• Token