Problem/Motivation
From #2758987: Anonymous users being registered and added to database, how Drupal is used by site builders and maintainers can be insecure. The existing Security in Drupal 8 guide section covers security of:
* manually written code
* automatically generated code
but nothing about how Drupal might be made more "locked down" from the pers
Proposed resolution
Add a page on "security best practice", at the very least linking to other existing guide pages e.g:
* User guide 4.5. Configuring User Account Settings
* Add a section on auditing role permissions: how to do that, and (linking if possible) what the administrator, anonymous and authenticated roles signify.
* Securing user #1
(The last item could maybe be migrated into the guide under "Security", although it's currently only for 6.x and 7.x.)
Remaining tasks
1. Add page with links as per above.
2. improve UID=1 documentation with details for 8.x (or at least check.)
3. Review configuration of a newly installed Drupal site for any other possibilities.
4. Decide what happens to this page in the light of the security advice yet to be migrated from pre-guide doc pages.
User interface changes
None.
API changes
None.
Data model changes
None.
Comments
Comment #2
jp.stacey CreditAttribution: jp.stacey at Magnetic Phield commentedComment #3
jp.stacey CreditAttribution: jp.stacey at Magnetic Phield commentedComment #4
jp.stacey CreditAttribution: jp.stacey at Magnetic Phield commentedComment #5
jp.stacey CreditAttribution: jp.stacey at Magnetic Phield commentedComment #6
jp.stacey CreditAttribution: jp.stacey at Magnetic Phield commentedComment #7
jp.stacey CreditAttribution: jp.stacey at Magnetic Phield commentedAdded page: https://www.drupal.org/docs/8/security/secure-configuration-for-site-bui...
Comment #8
jp.stacey CreditAttribution: jp.stacey at Magnetic Phield commentedReviewed UID=1 documentation in light of 8.x; now looking at configuration screens on a new Drupal site to see if any other notes can be added.
Comment #9
jp.stacey CreditAttribution: jp.stacey at Magnetic Phield commentedReviewed configuration, but I've also found the following section awaiting migration into the guides:
https://www.drupal.org/security/secure-configuration
At least some of that could make this new page unnecessary: once it's actually been migrated. Right now, though, the guide is definitely a dead end for a lot of site-builder advice. So it would be good to be able to make this new page live in the interim.
Comment #10
jp.stacey CreditAttribution: jp.stacey at Magnetic Phield commentedPublished by @tvn: https://www.drupal.org/node/2816673/discuss#comment-11728237
Closing this issue as fixed.