Securing your portal

The developer portal is essentially a content management system (CMS) based on the open source Drupal (http://www.drupal.org) project. Drupal provides a core set of features in the form of modules that make it easy for you to build the content for, as well as manage, websites.

Drupal also has many security features that you should be familiar with as you build your portal. This page does not attempt to explain all of the Drupal security features, but instead contains links to documentation on some of the most commonly used Drupal security features.

Along with the security information described in the table below, you should also be familiar with Drupal's best practices for coding standards and security as described on this page: https://www.drupal.org/developing/best-practices.

Topic Link
General guidelines See this article on general Drupal security topics: https://www.drupal.org/security/secure-configuration.
How Drupal stores passwords See the section "Improved hashing algorithms" on this page: https://docs.acquia.com/articles/improvements-security-drupal-7-8
Prevent brute force login attacks

See the section "Drupal 7's built-in brute force detection" on this page: https://docs.acquia.com/articles/improvements-security-drupal-7-8

If you want to view/edit this configuration in the Drupal UI, you can use the information here: https://www.drupal.org/project/flood_control

Prevent username enumerations Username enumeration refers to a method that attackers use to identify usernames that exist by using the forgot password form, which by default indicates whether or not the specified password exists. Attackers can keep trying usernames until they find a valid user. To prevent username enumeration, install the Username Enumeration Prevention module.
Add password policy enforcement A password policy defines password complexity for user passwords. For more information, see: https://www.drupal.org/project/password_policy
Enable autologout after period of inactivity The Drupal Automated Logout module can end a user's session after a defined period of inactivity. For more information, see: https://www.drupal.org/project/autologout