Security for Drupal
Drupal Feature


Drupal is a proven, secure CMS and application framework that stands up to the most critical internet vulnerabilities in the world to prevent the worst from happening. Drupal is mature, stable and designed with robust security in mind. Organizations around the world --including leading corporations, brands, and governments-- rely on Drupal for mission-critical sites and applications, testing its security against the most stringent standards. A dedicated security team, along with a large professional service provider ecosystem, and one of the largest developer communities in the world ensure rapid response to issues. Many security problems are prevented entirely by Drupal’s strong coding standards and rigorous community code review process.



Security Icon

Dedicated Security Team

The Drupal Security Team--dozens of experts from around the world--validate and respond to security issues. Security issues are reported confidentially and the security team coordinates with core and contributed module maintainers to prepare and release fixes. The team fixes security problems and publishes advisories that explain vulnerabilities, along with steps to mitigate them.

Secure Access

Out of the box, Drupal account passwords are encrypted--salted and repeatedly hashed--when they are stored in the database. Drupal can support a wide variety of password policies such as minimum length, complexity, or expiration. Industry standard authentication practices are also supported including SSL and 2-factor authentication. Many single sign-on systems are integrated with Drupal in production applications, including LDAP, Shibboleth, OpenID, and SAML.

Granular User Access Control

Drupal can give administrators complete control over who can see and who can modify every part of a site. Drupal operates based on a system of extensible user roles and access permissions. Administrators can create user roles and give them specific, limited permissions. For example, a site might need an author role that can create and update content, but not publish or delete it--permissions reserved for the editor role--while administrative settings are reserved for a separate role entirely. Authenticated users can be assigned any number of roles, and their permissions are cumulative. Menu links and features are automatically hidden from users who do not have appropriate access.

Database encryption

Database Encryption

In high security applications, Drupal can be configured for extremely strong database encryption. When whole-database encryption is not desired, very high granularity is available to protect more specific information: user accounts, specific forms, and even the values of specific fields can be encrypted in an otherwise plaintext database. The encryption system can be configured to pass the strictest PCI, HIPAA, and state privacy laws, including offsite encryption key management.

Preventing XSS, CSRF, and other malicious data entry

Drupal’s Form API ensures that data is validated and scrubbed before entry in the database. The system tests that user-entered data--and even the form fields themselves--match prescribed, expected formats and values. Tokens are injected into each form as it is generated, to protect against potential CSRF attacks. Drupal’s database abstraction layer performs additional security checks on data as it is written to and retrieved from the database.

Brute Force Detection

Drupal protects against brute-force password attacks by limiting the number of login attempts from a single IP address over a predefined period of time. Failed login attempts are logged and visible via the administrative interface. Drupal can also be configured to allow administrators to ban individual IP addresses and address ranges.

Mitigating Denial of Service (DoS) Attacks

Drupal’s extensible cache layer comes pre-configured with basic page, Javascript, and CSS caches. The system supports deep integration with performance technologies such as Memcache, Redis, Varnish, and many popular CDN services. Individual components of Drupal are typically cached as well, and granular expiry is a common feature. This multi-layered cache architecture is extremely resistant to high volumes of traffic, and makes Drupal the system of choice for some of the world’s highest-traffic websites.

Addresses OWASP Top 10 Risks

Drupal includes features that address all of the Open Web Application Security Project’s top ten security risks, a list of the most commonly seen risks in practice.