Security is paramount, for almost any web application. We will take a look at security best practices to keep your site safe and take the perspective of an attacker to understand how they exploit things. We will show you common mistakes that Drupal Developers make when they write code and how they can be avoided. As members of the security team and code review administrators on drupal.org we have seen a lot of code and what can go wrong with it. Sharing our experience about:
- XSS, CSRF, Access Bypass, SQL injection, DOS explained
- Secure configuration (web server, file permissions, etc.)
- Tools and Modules to improve security on your site
This session is relevant to all PHP web applications, but code examples are mostly from Drupal core 7.x and 8.x. The session will also touch on some security improvements in Drupal 8 such as using auto-escaping in the Twig template engine (XSS prevention) and built-in CSRF token support in the routing system.