drupal/security_layer

Installs and configures Password Policy and sets 90 day expiration default.

Maintainers

Details

git.drupalcode.org/project/security_layer.git

Source

Installs: 19

Dependents: 1

Suggesters: 0

Security: 0

Type:drupal-recipe

0.x-dev 2025-05-29 11:14 UTC

Requires

  • drupal/autologout: ^2
  • drupal/captcha: ^2
  • drupal/login_security: ^2
  • drupal/password_policy: ^4
  • drupal/real_aes: ^2
  • drupal/remove_http_headers: ^2.1
  • drupal/seckit: ^2.0
  • drupal/tfa: ^1.7

GPL-2.0-or-later dc38f97298bbdf9c89988c505aa4ef0046a2401e

recipedrupal recipesdrupal recipe

This package is auto-updated.

Last update: 2025-05-29 11:35:58 UTC

README

Version: 0.1 Machine Name: security_layer
Type: Recipe Author: Carla Mola Compatible with: Drupal 11.x

Introduction

Security Layer is a ready-to-use configuration recipe that strengthens your Drupal site’s security by automatically installing and configuring essential security modules. It enforces password policies, two-factor authentication (2FA), form protection, brute-force prevention, session control, data encryption, and HTTP header hardening.

Designed for developers and administrators who want to apply best practices in security quickly and reliably.

Features

Strong Password Policies

  • Minimum 12 characters.
  • Must contain at least 4 types of characters.
  • Prevents reuse of the last 5 passwords.
  • Cannot include the username.
  • Passwords expire every 90 days.

Session Timeout and Control

  • Automatically logs out users after 30 minutes of inactivity.
  • Maximum session length configurable (default: 2 hours).
  • Session tracking and logout logs enabled.
  • Applies only to authenticated users.

Brute-force Protection

  • Maximum 5 failed login attempts.
  • Activity logged after 10 failed attempts within 1 hour.
  • Temporary blocking enabled.

CAPTCHA on Critical Forms

  • Math-based challenge.
  • Enabled for login, registration, and password reset.
  • Case-insensitive validation.

Two-Factor Authentication (2FA)

  • Based on TOTP (e.g., Google Authenticator).
  • Enabled by default for all authenticated users.
  • 10 recovery codes generated per user.
  • 6 failed attempts allowed per 5 minutes (flood control).
  • Email notifications on 2FA enable/disable actions.

Data Encryption

  • AES-256 encryption via the real_aes module.
  • Encryption key stored securely using the key module.
  • Key is Base64-encoded and must be manually generated (see below).
  • Integrates with encrypt, key, and real_aes.

Secure HTTP Headers

  • Removes insecure or unnecessary headers (X-Powered-By, Server).
  • Sets strict security policies:
  • X-Frame-Options: SAMEORIGIN
  • X-XSS-Protection: 1; mode=block
  • Strict-Transport-Security
  • Basic Content-Security-Policy (CSP)

Performance Tuning

  • Enables CSS and JS aggregation.
  • Browser and proxy caching set to 1 hour.

Requirements

Required Contributed Modules

This recipe depends on the following Drupal modules:

  • password_policy
  • captcha
  • flood_control
  • tfa
  • encrypt
  • key
  • real_aes
  • secure_headers

All of them are automatically installed via Composer when applying the recipe.

Installation

Step 1: Add the repository (if not on drupal.org)

  1. Requiring this Recipe

    composer require drupal/security_layer:1.0.0`

  2. Applying this Recipe

    drush cr
drush recipe security_layer

Post-installation Configuration

  1. Generate your own encryption key Before enabling encryption features, you must generate a secure 256-bit key:

    openssl rand -base64 32

    This produces a Base64-encoded 256-bit key.

  2. Then, open the file: config/install/key.key.encryption_key.yml Find the key_value field and replace its content with your generated key.

    key_value: YOUR_BASE64_ENCODED_KEY_HERE

    Do not use the default key in production environments.