Security Review

Security Review automates checking many configuration errors that lead to insecure Drupal sites and looks for existing vulnerabilities and attack attempts.

security_review

18,103 sites

123

drupal.org

gui api development

security audit hardening vulnerability permissions checklist security audit site review penetration testing compliance

Drupal 10 Drupal 11

Install

Drupal 11, 10 v3.1.1

composer require 'drupal/security_review:^3.1'

Overview

Security Review is a comprehensive security auditing module for Drupal that automates the process of checking configuration errors and vulnerabilities that can lead to an insecure site. It performs 18 different security checks covering permissions, file access, input formats, database errors, file extensions, and more.

The module's primary goal is to elevate awareness of the importance of securing your Drupal site. It does not automatically make your site secure but provides detailed reports and guidance for manual security hardening. Results may vary depending on unique site factors, and administrators should use the checklist results and resources to manually secure their site.

Security Review provides both a web-based UI for running checks and viewing results, as well as Drush commands for integration into automated security audits and CI/CD pipelines. The module uses a plugin-based architecture allowing other modules to define custom security checks.

Features

Automated security checklist with 18 built-in security checks covering common vulnerabilities
Plugin-based architecture allowing custom security checks from other modules
Web UI for running checks, viewing results, and accessing detailed help for each check
Drush command integration for automated security audits and CI/CD pipelines
Configurable untrusted roles to define which user roles should be treated as potentially malicious
Per-check configuration options for fine-tuning security check behavior
Skip functionality to exclude known false positives or intentional configurations
Batch processing for resource-intensive checks on large sites
Detailed help pages explaining each security issue and remediation steps
Watchdog logging of check results for security auditing
Detection of brute-force login attempts and SQL injection attempts via log analysis
File permission verification to ensure web server cannot write to code directories
Content scanning for dangerous HTML tags (script, PHP) in submitted content
HTTP security header verification (X-Frame-Options and custom headers)

Use Cases

Regular Security Audits

Schedule regular security reviews using Drush commands in cron jobs or CI/CD pipelines. Run 'drush secrev --store' to execute all checks and store results. Enable logging to maintain an audit trail of security check results over time.

Pre-deployment Security Verification

Integrate Security Review into your deployment pipeline by running 'drush secrev' before deploying to production. The command returns a non-zero exit code if any checks fail, allowing you to block deployments that introduce security issues.

New Site Security Baseline

After setting up a new Drupal site, run Security Review to establish a security baseline. Address all failures before launching. Document any intentionally skipped checks and their justifications.

Post-compromise Investigation

If you suspect a site has been compromised, run the Fields check to scan content for injected script or PHP code. Check Query Errors and Failed Logins for evidence of attack attempts in the logs.

Compliance Documentation

Use Security Review reports as part of security compliance documentation. The module's logging feature creates an audit trail that can be provided to auditors to demonstrate regular security testing.

Custom Security Checks

Extend Security Review by creating custom security check plugins. Implement SecurityCheckInterface in a custom module to add organization-specific security requirements to the automated checklist.

Tips

Grant Security Review permissions only to trusted administrator roles, as the reports reveal sensitive security information about your site
Configure untrusted roles immediately after installation to ensure checks accurately assess risks for your specific user base
Run Security Review via Drush for more accurate file permission results, as the web server user context differs from CLI
Use the --store option with Drush to save results for later review in the admin UI
Enable logging in production to maintain an audit trail of security check results
Integrate 'drush secrev' into your CI/CD pipeline to catch security issues before deployment
When skipping checks, document the reason using the skip metadata to maintain accountability
Review the help documentation for each check to understand what it tests and how to remediate issues
The module checks for attack evidence in logs - ensure dblog module is enabled for Query Errors and Failed Logins checks
Regularly review and update the untrusted roles configuration as your site's role structure changes

Related Projects

Drupal Remote Dashboard (DRD)

DRD has integrated Security Review to provide security auditing capabilities for remotely managed Drupal sites.

Views Core

The Views Access check integrates with Views module to verify access controls are configured.

Database Logging (dblog)

The Query Errors and Failed Logins checks analyze watchdog logs to detect attack attempts.

Field Core

The Upload Extensions check integrates with field module to verify file upload settings.

Filter Core

The Input Formats check integrates with filter module to verify text format security.

Technical Details

Security Review /admin/reports/security-review

The main security review checklist page where administrators can run security checks, view results, and toggle individual checks on or off. Displays the timestamp of the last run and a table showing each check with its status (success, failure, warning, info), message, help link, and skip/enable toggle.

Security Review Settings /admin/config/security-review

Configuration page for Security Review module where administrators can define untrusted roles, enable logging, skip specific checks, and configure check-specific settings.

Security Review Help /admin/reports/security-review/help

General help page providing an overview of Security Review functionality and links to detailed help for each individual security check.

Check Help /admin/reports/security-review/help/{namespace}/{title}

Individual help page for each security check, displaying detailed information about what the check tests, why it matters, and how to remediate any issues found. Also shows skip status with user and timestamp if the check is skipped.

Access security review pages

View security review checks and output. Grant only to trusted users as this reveals security-sensitive information about the site. This permission is marked as restricted.

Run security review checks

Execute the security review checks. Users with this permission can trigger the security audit process.

hook_security_review_unsafe_tags_alter

Alter the list of HTML tags considered unsafe for XSS attacks

hook_security_review_unsafe_extensions_alter

Alter the list of file extensions considered unsafe for upload

hook_security_review_file_ignore_alter

Alter the list of file paths to ignore during the file permissions check

hook_security_review_temporary_files_alter

Alter the list of temporary/backup file patterns to check for in the site directory

drush security:review

Run the Security Review checklist and output results. Can be integrated into CI/CD pipelines for automated security auditing.

File permissions check times out on large sites

The file permissions check scans all files in the Drupal installation. For large sites, run the check via Drush CLI instead of the web UI. You can also add known-safe directories to the hushed files configuration.

Views Access check reports false positives for internal views

Enable the 'Ignore default view' option in the Views Access check settings if your default displays are intentionally unprotected and access is controlled at other levels.

Fields check takes too long to complete

The Fields check processes content in batches. For sites with large amounts of content, run via Drush. Known safe content can be excluded by adding hashes to the configuration.

Checks fail immediately after module installation

Run cron at least once after installation so the module can determine the web server's user ID for accurate file permission checking.

Drush command not finding custom checks

Ensure custom check modules are enabled. Use the namespace:title format for custom checks, e.g., 'drush secrev --check=mymodule:my_check'.

This module provides awareness of security issues but does not automatically secure your site - manual remediation is required
Results may be incorrect due to unique site factors such as custom configurations, reverse proxies, or hosting environments
Only grant Security Review permissions to trusted users as reports contain sensitive security information
The module writes test files during the File Permissions check - these are cleaned up automatically but may persist if the check fails
Logging of check results should be used carefully as logs may contain security-sensitive information
Skipping checks should be a deliberate decision with documented justification, not a way to hide security issues
The Fields check reveals content containing script tags which may be legitimate (e.g., embedded widgets) - review findings carefully
For maximum security, run checks both via web UI and Drush as they test different aspects of file permissions