Home

Making Drupal More Secure

mcritch - Tue, 07/14/2009 - 16:27

This site is running in a CMS called Drupal. It, like most CMS systems, allows users to easily create, edit, and delete content and manage many features of a website. But, like most, it is not without a few security flaws. Me, being a geek, and having more than a passing interest in security, decided to try to make this site a little more secure, and possibly even PCI Compliant.

It is possible to make Drupal PCI Compliant, but it takes a little work. Now, for the record I don't have nor do I collect data that falls under this standard, but some people do, and some run Drupal. There's not much information about the subject on the net, so I figure it's worth writing about. But be warned that there is a trade-off. By default, Drupal is set up to be more convenient for its users. Putting these modifications in place will make you login EVERY time you close your browser window. To me, that's not a problem. I actually prefer that to be the case. Others, well, you may not like it as much. YMMV.

First thing that you need to do is to force Drupal to use HTTPS for login. There are tutorials all over the net on how to install mod_ssl or Apache-SSL and configure it for HTTPS traffic, which is a pre-requisite for this. There is currently no drupal module that does just this, but you can get around it using .htaccess. In the root of your website, put the following somewhere in the .htaccess file

RewriteCond %{SERVER_PORT} 80 
RewriteCond %{REQUEST_URI} user
RewriteRule ^(.*)$ https://www.DOMAINNAME.com/$1 [R,L]

this will force all requests for the /user page to use https:// in the URL. I also recommend that you install the login_security module, which helps make it even better. I must also say that this won't work if you have a login box on your site. You'll have to force login through the /user page. If you look on this site, I just have a link for login in my "primary links."

Second, you need to make sure PHP is set to use session cookies. In your php.ini, you need to change the following 2 settings as shown

session.use_cookies = 1
session.cookie_lifetime = 0

This will force PHP to use its internal session handling, and will make all of the "session cookies" die when the browser window is closed (session.cookie_lifetime).

In the sites/default/settings.php file, you'll also need to change Drupal's default behavior to force the cookie expiration at browser close.

ini_set('session.cookie_lifetime',  0);

Following these steps will go a LONG way to help making your site PCI Compliant. Of course, you'll still have to contend with the software versions, firewalls, apache configurations, and about a million other things....;o)