Skip to content

Instantly share code, notes, and snippets.

@davebeach

davebeach/drupal-8-security-permissions.md

Last active March 24, 2021 17:25
Show Gist options
  • Star 3 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save davebeach/3bc3392b191a91e370e277128c4b799a to your computer and use it in GitHub Desktop.
Save davebeach/3bc3392b191a91e370e277128c4b799a to your computer and use it in GitHub Desktop.
Download ZIP
Drupal 8.0 Security Settings
Raw
drupal-8-security-permissions.md

Drupal 8 Securing Production Environment

Permissions

sudo chown -R MYUSER:www-data *
sudo find . -type d -exec chmod 755 {} \;
sudo find . -type f -exec chmod 640 {} \;
sudo find sites/default/files/config* -type f -exec chmod 664 {} \;

Securing User 1

  • It is best to disable user 1 using drush, (you can enable when you need it).
drush user-block 1
  • To re-enable user1
drush user-unblock 1

Setting Up SSL

  • Best to use open source CA authority project - Let's Encrypt. Instructions found at Let's Encrypt
  • The keys must be updated on a regular basis - every 3 months.

Redirecting HTTP to HTTPS at web server level

  • If you have server and root access, it is best to use the highest level httpd.conf file to configure the redirect. IE - /opt/USER/apache2/httpd.conf. You can also place in virtual host file, or downstream application folder. Keeping it simple though by making th entire server redirect, is easier in my opinion.
  • Redirect - add to the web server config under the virtual host for port 80:
  DocumentRoot "/opt/bitnami/apache2/htdocs"
  RewriteEngine On
  RewriteCond %{HTTPS} !=on
  RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [R,L]

Enable SSH, SFTP or PuTTY To Upload Files to Server from Local.

When Flood Controls is available for 8.x, Implement it to Protect Against Brute Force Attack

Flood Controls Project Link

Best Practices for Developers

Change DOCROOT directory

  • Create DOCROOT directory and index.php file:
chdir('..');
require 'index.php';
  • Create links for other files like Robot.txt
cd docroot
ln -s ../robots.txt
ln -s ../.htaccess
  • Redirect Webserver to new DOCROOT directory.
  • Make a files directory under DOCROOT
  • Change in settings.php
$settings['file_public_path'] = 'docroot/files';
// Replace http://drupal-8.localhost with your site's URL or $base_url if you have defined that.
$settings['file_public_base_url'] = 'http://drupal-8.localhost/files';
  • Solution from Klaus Purer. For detail instructions including asset sync click here.

Upgrade always to latest Drupal version/patch.

  • Ensure CRON is running for status and module updates.
  • Implement updates as soona as possible.

Private file store - set up in settings.php file where private files will route to.

  • If you receive error:
Warning: file_put_contents(private://.htaccess): failed to open stream: "Drupal\Core\StreamWrapper\PrivateStream::stream_open" call failed in file_save_htaccess() (line 366 of core/includes/file.inc).

OR

See https://www.drupal.org/SA-CORE-2013-003 for information about the recommended .htaccess file which should be added to the /opt/bitnami/apps/drupal/htdocs/sites/default/private directory to help protect against arbitrary code execution.
  • For files, private and temporary directories ensure that you have the following .htaccess file. Only change in these directories.
# Turn off all options we don't need.
Options -Indexes -ExecCGI -Includes -MultiViews

# Set the catch-all handler to prevent scripts from being executed.
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
<Files *>
  # Override the handler again if we're run later in the evaluation list.
  SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003
</Files>

# If we know how to do it safely, disable the PHP engine entirely.
<IfModule mod_php5.c>
  php_flag engine off
</IfModule>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment