More Securities in Drupal 8 over Drupal 7

Prerequisite for attendees

Basic familiarity with Drupal 7 & 8

Session Details/Overview

In this 30 minute session you will learn why Drupal 8 is more secure than Drupal 7.

Security is very hard to bolt on to any software or product after it has been built. Building it into the core of the code helps to avoid mistakes, and thus the Drupal 8 tries to build in more security by default, while still being usable for developers and site builders.

We’ll go through on those points by which securities have been increased:

  • Twig templates used for html generation
  • Removed PHP input filter and the use of PHP as a configuration import format
  • Site configuration exportable, manageable as code, and versionable
  • User content entry and filtering improved
  • Hardened user session and session ID handling
  • Automated CSRF token protection in route definitions
  • Trusted host patterns enforced for requests
  • PDO MySQL limited to executing single statements
  • Clickjacking protection enabled by default
  • Core javaScript API compatible with content security policy
  • Impose more securities & improvement through "security bounty program"

Key takeaways

At the end of this sessions user will know about:

  • What are the new key security elements imposed
  • Where Drupal 8 take advantage over Drupal 7 in terms of security