drupal/security_recipe

Security recipe with security.txt and essential security modules.

Maintainers

Details

git.drupalcode.org/project/security_recipe.git

Source

Installs: 4

Dependents: 0

Suggesters: 0

Security: 0

Type:drupal-recipe

1.0.1 2025-05-19 14:33 UTC

Requires

  • drupal/core-recommended: ^10.3 || ~11
  • drupal/flood_control: ^3.0
  • drupal/seckit: ^2.0
  • drupal/security_review: ^3.1
  • drupal/tfa: ^2.0@alpha

GPL-2.0+ 65ec6b78883499bd1e6be93336d1a9dae1dc0d4c

securitydrupal2farecipeFlood control

This package is auto-updated.

Last update: 2025-05-19 12:36:48 UTC

README

This package provides essential security modules and configurations for Drupal sites.

Installation

  1. Apply the recipe:

    drush recipe recipes/contrib/security_package

  2. Run post-installation commands:

    drush cache:rebuild
drush security-review:run

Components

Installed Security Modules

  • Flood Control: Limits login and form submission attempts
  • Two-Factor Authentication (2FA): Provides multi-factor authentication
  • Security Kit: Implements various security hardening features
  • Security Review: Automated security review tool

Security.txt Setup

A security.txt file should be placed in web/.well-known/security.txt. You can generate one using the official generator at https://securitytxt.org/

Example security.txt content:

# Security.txt file
# For more information: https://securitytxt.org/

Contact: mailto:security@example.com
Expires: 2025-12-31T23:59:59+00:00
Preferred-Languages: en, nl
Policy: https://example.com/security-policy
Hiring: https://example.com/jobs/security

Recommended Next Steps

  1. Review and customize the security.txt file using the generator at https://securitytxt.org/
  2. Configure 2FA for user roles
  3. Run a security review with: drush security-review:run
  4. Review Security Kit settings

Configuration Details

Flood Control Settings

  • Contact form rate limit: 3 attempts
  • Contact form user limit: 5 attempts
  • User login rate limit: 5 attempts
  • User login user limit: 5 attempts

TFA Settings

  • Required for administrator and editor roles
  • Uses TOTP (Time-based One-Time Password) validation
  • 2-minute time skew allowed
  • Site name prefix enabled

Security Kit Settings

  • Content Security Policy (CSP) enabled
  • XSS protection enabled
  • CSRF protection enabled
  • Clickjacking protection enabled