Security is paramount, for almost any web application. We will take a look at security best practices to keep your site safe and take the perspective of an attacker to understand how they exploit things. We will show you common mistakes that Drupal Developers make when they write code and how they can be avoided. As members of the security team and code review administrators on drupal.org we have seen a lot of code and what can go wrong with it. Sharing our experience about:
- XSS, CSRF, Access Bypass, SQL injection, DOS explained
- Secure configuration (web server, file permissions, etc.)
- Tools and Modules to improve security on your site
This session mostly applies to both Drupal core 7.x and 8.x versions. We will also talk about some security improvements in Drupal 8 such as auto-escaping of the Twig template engine (XSS prevention) and built-in CSRF token support in the routing system.