drupal / security_layer
Installs and configures Password Policy and sets 90 day expiration default.
Requires
- drupal/autologout: ^2
- drupal/captcha: ^2
- drupal/login_security: ^2
- drupal/password_policy: ^4
- drupal/real_aes: ^2
- drupal/remove_http_headers: ^2.1
- drupal/seckit: ^2.0
- drupal/tfa: ^1.7
This package is auto-updated.
Last update: 2025-05-29 11:35:58 UTC
README
Version: 0.1
Machine Name: security_layer
Type: Recipe
Author: Carla Mola
Compatible with: Drupal 11.x
Introduction
Security Layer is a ready-to-use configuration recipe that strengthens your Drupal site’s security by automatically installing and configuring essential security modules. It enforces password policies, two-factor authentication (2FA), form protection, brute-force prevention, session control, data encryption, and HTTP header hardening.
Designed for developers and administrators who want to apply best practices in security quickly and reliably.
Features
Strong Password Policies
- Minimum 12 characters.
- Must contain at least 4 types of characters.
- Prevents reuse of the last 5 passwords.
- Cannot include the username.
- Passwords expire every 90 days.
Session Timeout and Control
- Automatically logs out users after 30 minutes of inactivity.
- Maximum session length configurable (default: 2 hours).
- Session tracking and logout logs enabled.
- Applies only to authenticated users.
Brute-force Protection
- Maximum 5 failed login attempts.
- Activity logged after 10 failed attempts within 1 hour.
- Temporary blocking enabled.
CAPTCHA on Critical Forms
- Math-based challenge.
- Enabled for login, registration, and password reset.
- Case-insensitive validation.
Two-Factor Authentication (2FA)
- Based on TOTP (e.g., Google Authenticator).
- Enabled by default for all authenticated users.
- 10 recovery codes generated per user.
- 6 failed attempts allowed per 5 minutes (flood control).
- Email notifications on 2FA enable/disable actions.
Data Encryption
- AES-256 encryption via the
real_aes
module. - Encryption key stored securely using the
key
module. - Key is Base64-encoded and must be manually generated (see below).
- Integrates with
encrypt
,key
, andreal_aes
.
Secure HTTP Headers
- Removes insecure or unnecessary headers (
X-Powered-By
,Server
). - Sets strict security policies:
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Strict-Transport-Security
- Basic
Content-Security-Policy
(CSP)
Performance Tuning
- Enables CSS and JS aggregation.
- Browser and proxy caching set to 1 hour.
Requirements
Required Contributed Modules
This recipe depends on the following Drupal modules:
password_policy
captcha
flood_control
tfa
encrypt
key
real_aes
secure_headers
All of them are automatically installed via Composer when applying the recipe.
Installation
Step 1: Add the repository (if not on drupal.org)
Requiring this Recipe
composer require drupal/security_layer:1.0.0`
Applying this Recipe
drush cr drush recipe security_layer
Post-installation Configuration
Generate your own encryption key Before enabling encryption features, you must generate a secure 256-bit key:
openssl rand -base64 32
This produces a Base64-encoded 256-bit key.
Then, open the file: config/install/key.key.encryption_key.yml Find the key_value field and replace its content with your generated key.
key_value: YOUR_BASE64_ENCODED_KEY_HERE
Do not use the default key in production environments.