Problem/Motivation

From #2758987: Anonymous users being registered and added to database, how Drupal is used by site builders and maintainers can be insecure. The existing Security in Drupal 8 guide section covers security of:

* manually written code
* automatically generated code

but nothing about how Drupal might be made more "locked down" from the pers

Proposed resolution

Add a page on "security best practice", at the very least linking to other existing guide pages e.g:

* User guide 4.5. Configuring User Account Settings
* Add a section on auditing role permissions: how to do that, and (linking if possible) what the administrator, anonymous and authenticated roles signify.
* Securing user #1

(The last item could maybe be migrated into the guide under "Security", although it's currently only for 6.x and 7.x.)

Remaining tasks

1. Add page with links as per above.
2. improve UID=1 documentation with details for 8.x (or at least check.)
3. Review configuration of a newly installed Drupal site for any other possibilities.
4. Decide what happens to this page in the light of the security advice yet to be migrated from pre-guide doc pages.

User interface changes

None.

API changes

None.

Data model changes

None.

Comments

jp.stacey created an issue. See original summary.

jp.stacey’s picture

jp.stacey CreditAttribution: jp.stacey at Magnetic Phield commented
Issue summary: View changes
jp.stacey’s picture

jp.stacey CreditAttribution: jp.stacey at Magnetic Phield commented
Parent issue: #2758987: Anonymous users being registered and added to database »
Related issues: +#2758987: Anonymous users being registered and added to database
jp.stacey’s picture

jp.stacey CreditAttribution: jp.stacey at Magnetic Phield commented
Issue summary: View changes
jp.stacey’s picture

jp.stacey CreditAttribution: jp.stacey at Magnetic Phield commented
Issue summary: View changes
jp.stacey’s picture

jp.stacey CreditAttribution: jp.stacey at Magnetic Phield commented
Issue summary: View changes
jp.stacey’s picture

jp.stacey CreditAttribution: jp.stacey at Magnetic Phield commented
Issue summary: View changes

Added page: https://www.drupal.org/docs/8/security/secure-configuration-for-site-bui...

jp.stacey’s picture

jp.stacey CreditAttribution: jp.stacey at Magnetic Phield commented
Issue summary: View changes

Reviewed UID=1 documentation in light of 8.x; now looking at configuration screens on a new Drupal site to see if any other notes can be added.

jp.stacey’s picture

jp.stacey CreditAttribution: jp.stacey at Magnetic Phield commented
Issue summary: View changes
Status: Active » Needs review

Reviewed configuration, but I've also found the following section awaiting migration into the guides:

https://www.drupal.org/security/secure-configuration

At least some of that could make this new page unnecessary: once it's actually been migrated. Right now, though, the guide is definitely a dead end for a lot of site-builder advice. So it would be good to be able to make this new page live in the interim.

jp.stacey’s picture

jp.stacey CreditAttribution: jp.stacey at Magnetic Phield commented
Status: Needs review » Fixed

Published by @tvn: https://www.drupal.org/node/2816673/discuss#comment-11728237

Closing this issue as fixed.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.