Drupal is a proven, secure CMS and application framework that stands up to the most critical internet vulnerabilities in the world to prevent the worst from happening. Drupal is mature, stable and designed with robust security in mind. Organizations around the world --including leading corporations, brands, and governments-- rely on Drupal for mission-critical sites and applications, testing its security against the most stringent standards. A dedicated security team, along with a large professional service provider ecosystem, and one of the largest developer communities in the world ensure rapid response to issues. Many security problems are prevented entirely by Drupal’s strong coding standards and rigorous community code review process.
Out of the box, Drupal account passwords are encrypted--salted and repeatedly hashed--when they are stored in the database. Drupal can support a wide variety of password policies such as minimum length, complexity, or expiration. Industry standard authentication practices are also supported including SSL and 2-factor authentication. Many single sign-on systems are integrated with Drupal in production applications, including LDAP, Shibboleth, OpenID, and SAML.
Granular User Access Control
Drupal can give administrators complete control over who can see and who can modify every part of a site. Drupal operates based on a system of extensible user roles and access permissions. Administrators can create user roles and give them specific, limited permissions. For example, a site might need an author role that can create and update content, but not publish or delete it--permissions reserved for the editor role--while administrative settings are reserved for a separate role entirely. Authenticated users can be assigned any number of roles, and their permissions are cumulative. Menu links and features are automatically hidden from users who do not have appropriate access.
In high security applications, Drupal can be configured for extremely strong database encryption. When whole-database encryption is not desired, very high granularity is available to protect more specific information: user accounts, specific forms, and even the values of specific fields can be encrypted in an otherwise plaintext database. The encryption system can be configured to pass the strictest PCI, HIPAA, and state privacy laws, including offsite encryption key management.
Preventing XSS, CSRF, and other malicious data entry
Drupal’s Form API ensures that data is validated and scrubbed before entry in the database. The system tests that user-entered data--and even the form fields themselves--match prescribed, expected formats and values. Tokens are injected into each form as it is generated, to protect against potential CSRF attacks. Drupal’s database abstraction layer performs additional security checks on data as it is written to and retrieved from the database.
Brute Force Detection
Drupal protects against brute-force password attacks by limiting the number of login attempts from a single IP address over a predefined period of time. Failed login attempts are logged and visible via the administrative interface. Drupal can also be configured to allow administrators to ban individual IP addresses and address ranges.
Mitigating Denial of Service (DoS) Attacks
Addresses OWASP Top 10 Risks
Drupal includes features that address all of the Open Web Application Security Project’s top ten security risks, a list of the most commonly seen risks in practice.