When comparing content management systems (CMS) for security, Drupal often stands out as a solid option. Drupal has an excellent security track record, with structured processes for investigating, verifying, and publishing security vulnerabilities. An active community and dedicated security team handle these tasks. Due to its robust security framework, some well-known companies exclusively choose Drupal for this reason, including:
- CNN
- Zynga
- PayPal
Strict Security Standards in the Drupal Community
Drupal enforces strict requirements for publishing contributed modules on Drupal.org. New contributors follow a thorough vetting process to become trusted partners. The Drupal security team works closely with key contributors to promptly address potential vulnerabilities. This collaboration ensures the consistent quality and security of Drupal's code.
Addressing Common Security Threats
Drupal’s architecture is designed to counter common security threats like SQL injection, Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), and session hijacking. Let's explore how Drupal mitigates specific security risks.
How Does Drupal Face Security Risks?
Drupal uses a comprehensive set of APIs that, when implemented correctly, significantly reduce common security risks.
Injection Prevention
Drupal’s robust database APIs make it difficult for developers to create injection vulnerabilities. The system sanitizes query parameters and employs an object-oriented interface to mitigate risks. By limiting certain extension interactions, Drupal helps prevent server errors.
Authentication and Session Management
Drupal Core manages user accounts and authentication. Authentication cookies, user IDs, and passwords are stored securely. Passwords are hashed using a secure PHP algorithm, and sessions are destroyed upon login or logout, enhancing session security.
Cross-Site Scripting (XSS) Prevention
Drupal includes a comprehensive filtering system to handle user-generated content. Dangerous elements are filtered out by default, with at least eight API functions available to developers to ensure secure content output and mitigate XSS vulnerabilities.
Preventing Insecure Direct Object Reference
Drupal uses direct object references, such as user IDs in URLs, but its permissions system restricts unauthorized access. The platform also offers obfuscation methods and form API validation to prevent unauthorized access.
Security Misconfiguration
Drupal restricts access to critical controls and administrative functions to default admin accounts only. Detailed documentation on secure configurations and automated security projects on Drupal.org help administrators safeguard their sites.
Missing Function-Level Access Control
Drupal’s permission-based system protects function access by checking authorization at every level. The URL access checks are integrated into the menu and routing system, ensuring consistent visibility and page protection.
Cross-Site Request Forgery (CSRF) Protection
Drupal mitigates CSRF risks by validating user intent on actions with potential side effects, like deleting database records, using the HTTP POST method. The FORM API adds CSRF protection tokens to POST requests, strengthening request security.
Trusted by Government Agencies
Drupal’s security makes it a popular choice among U.S. government agencies, with over 24% of .gov sites built on this platform. Some federal agencies using Drupal include:
- The White House / Whitehouse.gov
- House of Representatives / House.gov
- NASA / NASA.gov
- Department of Education / Ed.gov
- Department of Energy / Energy.gov
- Department of Commerce / Commerce.gov
- Department of Health and Human Services / Hhs.gov
- Department of Defense / Defense.gov
- Department of Transportation / Transportation.gov
- National Security Agency / Nsa.gov
While open-source platforms may not initially be viewed as secure, Drupal has a proven history of countering this assumption. With numerous high-profile companies and government agencies relying on its security, Drupal continues to overcome misconceptions and demonstrate its reliability as a secure CMS.
