This module is about strengthening the security of your Drupal site. Drupal is fairly secure out of the box, but as new technology emerges with HTML5, site maintainers must keep up.

This module:

  • Allows you to move your administration panel from /admin to /something-else. This is done by modifying the menu entries, not simply by rewriting URL's on input and output.
  • Manage Javascript sources to minimize the risk of Cross Site Scripting (XSS) attacks
  • Hash passwords client side
  • More to come...

Change URL of administration panel

Move all of the administration panel URL's from admin/something to secret/something. This prevents attackers from targeting vulnerable admin pages because the location does not exist. Note that enabling this module will cause issues with core's Toolbar module. The majority of links will be removed from the menu because the Toolbar module specifically looks for URL's with the path admin/% when building the menu. These paths do not exist and therefore the menu links are not added. This is not an issue with the Admin Menu module.

Preventing Cross Site Scripting

The Content Security Policy allows site managers to control Javascript sources (among others) on their site. By setting the appropriate headers, site managers can dictate whether or not inline Javascript can be run. Blocking the execution of inline Javascript greatly reduces the risk of your site being hit with a Cross Site Scripting attack.

Note that the Content Security Policy is fairly new and is only supported in the following browsers:

  • All modern versions of FireFox (from version 4 onward)
  • All modern versions of Chrome (from version 14 onward)
  • Internet Explorer 10 and later
  • Safari 5.1 and later (6.0 on mobile)
  • And More...

Client Side Password Hashing

We strongly encourage the use of HTTPS/SSL for all sensitive data, including user passwords. In some cases, this is not feasible or is not done. Rather than transmitting passwords in plain text, enable client side hashing to use PBKDF2 to hash passwords before transmission. Note that you will need to update your password to continue logging into the site once this feature is enabled. You will also need to include the CryptoJS library.

And More...

We are constantly reviewing the current features of this module and adding new ones to help keep your site secure.

Project information

Releases