We use cookies to improve our services and provide a better experience. By continuing to use this site, you agree with our Cookies Policy.

More than 400 step-by-step articles to guide you through online project development.
HomeTutorialsCMS TutorialsDrupalDrupal Security

Securing Drupal

Follow these steps to make your Drupal website more secure

Insert the following line in the Apache configuration file:

# Permit the session over the protected channel simply
php_value session .cookie_secure 1

This parameter will enable PHP to only have sessions over secure channels.

Edit the https protocol in the file drupal/sites/default/settings.php

# The entire complete URLs emit by the Drupal will hold the https
$base _url = 'https: // example.com'; // NO rambling slash!

Your site will now be available on http and https.

Edit the http requirements for /user or /admin to move to https. This can be done by adding the following lines to the Apache configuration file:

Rewrite Cond % {REQUEST _URI} ^ /(user|admin) [OR]
Rewrite Cond %{ QUERY _STRING} ^ q =(user|admin)
Rewrite Rule ^ (.*)$ https: //% {SERVER _NAME}/ $1 [L,R=301]

This will perform simply in case the client is straight annoying to admission the web page. It will not perform for the username and the password submit through the login box. In mixture with the protected setting of the cookie setting in process 1, the Drupal will stop clients from receiving the applicable session ID in case they attempt to retrieve over the http through the login box, other than the password will at rest be sent in clear text.

Patch Drupal/modules/user.module to redirect to the page containing the protocol for the login box too.

Rate this Tutorial:
No CommentsLeave a Comment

Other (195)

Popular Keywords