security_profile
No security coverage
A quick setup has been implemented to enhance the security of a generic Drupal project, configurable with variables in a post-installation script. With the aim of streamlining the configuration, installation, and security times of each project.
The OWASP Top 10 was used as a reference framework to ensure it passes 90% of audits. Keep in mind that if any element is overly restrictive, you can relax it at your own risk.
Included Modules
- Authentication & Access Control: Enforces strong password policies, multi-factor authentication, and session timeouts.
- Password Policy (Length, character types, history)
- TFA (Two-Factor Authentication)
- Autologout
- Brute Force & Bot Protection: Mitigates automated attacks and unauthorized login attempts.
- Login Security
- Flood Control
- Advban (Advanced Ban)
- reCAPTCHA
- Data Exposure Prevention: Hardens HTTP headers and protects user data.
- Seckit (Security Kit)
- Username Enumeration Prevention
- Cryptography & Key Management: Infrastructure for encrypting sensitive data.
- Key
- Encrypt
- Real AES
- Audit & Logging: Comprehensive tracking for post-incident forensics.
- Event Log Track (Tracks auth, nodes, config, files, menus, users, etc.)
- Syslog (Core)
Site-Building Tools
While not strictly security-related, the profile includes essential administration tools to ease site management:
- Admin Toolbar (along with Tools and Search submodules)
- Token