security_setup_recipe
No security coverage
A Drupal recipe that installs and configures a practical baseline of security hardening modules for production sites.
What This Recipe Provides
This recipe automates the setup of essential security modules with sensible defaults:
- Security Kit (SecKit) – HTTP security headers including Content Security Policy (CSP), X-Frame-Options, HSTS, and CSRF protection
- Login Security – Brute-force login attack prevention with IP-based lockout
- Autologout – Automatic idle session expiry for inactive users
- Password Policy – Enforce strong password requirements (length, character types, username checking)
- Paranoia – Block PHP code execution via the admin UI
- Flood Control – Admin UI for managing IP-based rate limiting
- Ban module(Drupal core) – IP address banning functionality
Safe Defaults for All Environments
The recipe uses conservative defaults that work in development, staging, and production:
- HSTS is disabled by default – Enable it via Config Split or settings override once you're on HTTPS
- CSP runs in report-only mode – Review violations at '/report-csp-violation' before enforcing
- Autologout is disabled by default – Configure per-environment session rules as needed
Post-Apply Steps
- Review CSP violation reports and adjust your policy
- Enable HSTS in production environments only (via Config Split or settings.php)
- Configure autologout rules for your security requirements
- Test login lockout behavior to ensure legitimate users aren't blocked
Requirements
- Drupal 10.3 or Drupal 11
- All security module dependencies are installed automatically via Composer
Recommended companion project:
Recipes Manager makes recipes much easier to work with in real projects because it brings recipe discovery and management into the Drupal UI. If your team wants a smoother editorial and admin workflow for applying and reviewing recipes, this is the easiest way to get it.