drupal/security_setup_recipe

Drupal recipe package for baseline site security hardening.

Maintainers

Package info

git.drupalcode.org/project/security_setup_recipe.git

Type:drupal-recipe

pkg:composer/drupal/security_setup_recipe

Statistics

Installs: 0

Dependents: 0

Suggesters: 0

Security

Advisories: 0

Aikido package health analysis

dev-master 2026-06-16 19:37 UTC

Requires

  • drupal/autologout: ^2.0
  • drupal/core: ^10.3 || ^11
  • drupal/flood_control: ^3.0
  • drupal/login_security: ^2.0
  • drupal/paranoia: ^1.0@dev
  • drupal/password_policy: ^4.0
  • drupal/seckit: ^2.0

GPL-2.0-or-later e6af490e020878f9f9f1c7a05eb86086da7ef067

This package is not auto-updated.

Last update: 2026-06-16 22:08:21 UTC

README

What This Recipe Does

This recipe installs a practical baseline of Drupal hardening modules and imports security-focused configuration defaults.

Package

  • Composer package: drupal/security_setup_recipe
  • Recipe manifest: recipe.yml

Included Behavior

  • HTTP security headers via SecKit
  • Brute-force mitigation via Login Security
  • Idle session handling via Autologout
  • Password policy baseline
  • Flood control and ban support
  • Paranoia module for admin UI hardening

Requirements

  • Drupal 10.3 or 11
  • Security modules listed in composer.json

Install

composer require drupal/security_setup_recipe

Apply

drush recipe security_setup

Post-Apply Steps

  1. Rebuild caches.
drush cr
  1. Validate CSP reports and move from report-only to enforcement when ready.
  2. Enable HSTS only in HTTPS environments.
  3. Apply environment-specific overrides for autologout/session rules if needed.

Known Limitations

  • Security posture still requires environment-specific hardening and policy tuning.
  • HSTS and strict CSP enforcement should be enabled only after validation in your deployment context.

Maintenance

  • HSTS is intentionally not forced in base config.
  • The recipe is safe to re-apply because strict is set to false.