Cracking Drupal

moshe weitzman

Security is paramount, for almost any web application. We will take a look at security best practices to keep your site safe and take the perspective of an attacker to understand how they exploit things. We will show you common mistakes that Drupal Developers make when they write code and how they can be avoided. As members of the security team and code review administrators on we have seen a lot of code and what can go wrong with it. Sharing our experience about:

  • XSS, CSRF, Access Bypass, SQL injection, DOS explained
  • Secure configuration (web server, file permissions, etc.)
  • Tools and Modules to improve security on your site

This session is relevant to all PHP web applications, but code examples are mostly from Drupal core 7.x and 8.x. The session will also touch on some security improvements in Drupal 8 such as using auto-escaping in the Twig template engine (XSS prevention) and built-in CSRF token support in the routing system.


Session Track


Experience Level


Drupal Version

When & Where

Wednesday, 28 September, 2016 - 17:00 to 18:00
Wicklow Meeting 1 | Lingotek