Drupal Archive_Tar Vulnerability – 12/18/2019

Issue: On December 18, 2019, Archive_Tar, used in the Drupal content management system (CMS), has many vulnerabilities if a Drupal website is set to allow and process .tar, .tar.gz, .bz2, or .tlz file uploads Versions affected ? 8.8.x-dev8.7.x-dev7.x-dev Recommendation: Update Drupal 8Update Drupal 7 Source: https://www.drupal.org/sa-core-2019-012 Learn more about website security in our Drupal 8 Read More >

Add Feature-Policy in Drupal 8 with the Security Kit Module

The Feature-Policy HTTP header specifies what browser features can be used on a website and its <iframe> elements. The most common browser features among a long list are autoplay (for videos), camera, fullscreen, and microphone. Below we’ll cover how to install the Security Kit module in Drupal 8 and enable Feature Policy. Get high performance Read More >

Add X-Frames-Options in Drupal 8 with the Security Kit Module

The X-Frame-Options HTTP header specifies whether your Drupal website can be displayed within other websites with the <frame>, <iframe>, <object>, or <embed> HTML tags. This improves Drupal security against clickjacking and related cyber attacks. Below we’ll cover how to install the Security Kit module and enable X-Frames-Options. Mozilla recommends using the superseding Content Security Policy Read More >

Add HSTS in Drupal 8 with the Security Kit Module

Adding HSTS (HTTP Strict Transport Security) in Drupal 8 forces web browsers to only load your website with a valid SSL certificate. This improves Drupal security against downgrade attacks and similar man-in-the-middle (MITM) attacks. HSTS is similar to a HTTP to HTTPS redirect but within the browser. Below we’ll cover how to install the Security Read More >

Add Content-Security-Policy (CSP) in Drupal 8

The Content-Security-Policy Drupal module helps you configure a Header set Content-Security-Policy header to specify what sources your website should load scripts from – (e.g. your own website, embedded YouTube video, and analytics trackers). This forces supporting web browsers to ignore other external requests to mitigate cross-site scripting (XSS) and other code injection attacks. There are Read More >