| Understand Drupal's security layers |
Security Overview |
Understanding Drupal's defense-in-depth security model when architecting applications, evaluating modules, or responding to security advisories. |
| Map OWASP Top 10 to Drupal |
OWASP Top 10 in Drupal |
When evaluating Drupal applications against industry-standard security risks or conducting security audits. |
| Implement access control on routes |
Access System Architecture |
When designing routes, controllers, or entities that require access control -- understanding the architecture prevents security gaps. |
| Define permissions and roles |
Permissions and Roles |
Defining what actions users can perform and grouping those permissions into roles. |
| Add access checks to routes |
Route Access Checks |
Protecting routes (URLs) from unauthorized access before the controller executes. |
| Return access results correctly |
AccessResult Patterns |
Returning access decisions from custom access checks, entity access handlers, or any code that determines access. |
| Control entity access |
Entity Access Control |
Controlling access to entity operations (view, update, delete, create) through entity access handlers. |
| Implement node grants |
Content Access (Node Grants) |
When entity access handlers are insufficient -- node grants enable database-level access filtering for complex content access rules (e.g., organic groups, taxonomy access, workflow states). |
| Prevent XSS attacks |
XSS Prevention |
Whenever displaying user-generated content or building HTML output -- XSS (Cross-Site Scripting) is one of the most common web vulnerabilities. |
| Use Twig safely |
Twig Autoescape and Safe Markup |
Understanding Twig's automatic XSS protection when building themes or rendering output. |
| Prevent SQL injection |
SQL Injection Prevention |
Every database query -- SQL injection allows attackers to manipulate queries and access/modify unauthorized data. |
| Protect against CSRF |
CSRF Protection |
Protecting state-changing operations (create, update, delete) from Cross-Site Request Forgery attacks where malicious sites trick users into performing unwanted actions. |
| Validate and sanitize input |
Input Validation and Sanitization |
Every point where user input enters the system -- validation ensures data integrity; sanitization prevents injection attacks. |
| Configure authentication |
Authentication System |
Understanding how Drupal identifies users and when to implement custom authentication providers (OAuth, SAML, LDAP, API keys). |
| Manage sessions securely |
Session Management |
Understanding session security to prevent session fixation, hijacking, and ensure proper session lifecycle. |
| Use trusted callbacks |
Trusted Callbacks |
When using callbacks in render arrays (#pre_render, #post_render, #lazy_builder) -- Drupal requires explicit trust declaration to prevent arbitrary code execution. |
| Set security headers |
Security Headers (CSP, CORS) |
Configuring HTTP security headers to prevent clickjacking, MIME sniffing, XSS, and control cross-origin requests. |
| Secure file uploads |
File Upload Security |
Whenever users can upload files -- unrestricted file upload is one of the most dangerous vulnerabilities (remote code execution). |
| Follow security best practices |
Best Practices and Patterns |
When establishing security standards for a project or conducting code reviews. |
| Avoid common mistakes |
Anti-Patterns and Common Mistakes |
During code review or when debugging security issues -- recognize dangerous patterns to avoid them. |
| Find security code references |
Code Reference Map |
|