Even if most of us will not get to Drupalcon, we still have our Security Cheat Sheets there. Get them at any of the security presentations. This is an online version of the sheet:

Basic standards

• Avoid FTP at all cost
• Use SCP, FTPS or SFTP
• Is your hosting safe? http://tinyurl.com/safe-hosting
• Use Suhosin with PHP http://tinyurl.com/suhosin-drupal
• Backup your files, database. Store the backup off-site

Stay on track

• Enable e-mail status at Reports -> Available updates -> Settings
• Watch http://drupal.org/security
• RSS channels http://drupal.org/security
• Security newsletter http://drupal.org/user -> Edit account -> Newsletters
• Drush is your update friend http://drupal.org/project/drush

Cross Site Scripting

• Client side script vulnerability http://en.wikipedia.org/wiki/Cross-site_scripting
• Use check_plain() for user/admin input http://tinyurl.com/check-plain
• Use filter_xss() for user input with HTML http://tinyurl.com/filter-xss
• Use filter_xss_admin() for admin input with HTML http://tinyurl.com/filter-xss-admin
• Rich text? Use check_markup() http://tinyurl.com/check-markup
• Forms API weirdness (radios, checkboxes) http://tinyurl.com/forms-api-security

SQL Injection

• Always critical! Description http://en.wikipedia.org/wiki/SQL_injection
• Use query tokens http://tinyurl.com/sql-tokens
• String '%s', Integer %d, Float '%f', Blob %b
• For table names, db_escape_table() http://tinyurl.com/db-escape-table

Cross Site Request Forgery

• Description http://en.wikipedia.org/wiki/Cross-site_request_forgery
• Use Forms API http://tinyurl.com/forms-api
• Take actions in forms API _submit()
• For GET, use drupal_get_token/drupal_valid_token() http://tinyurl.com/drupal-valid-token

Access control

• First friend, hook_menu() http://tinyurl.com/hook-menu
• Access for your node type, node_access() http://tinyurl.com/node-access
• Limiting access to nodes hook_node_access_records() http://tinyurl.com/node-access-records
• And hook_node_grants() http://tinyurl.com/node-grants
• Working with nodes? Always use db_rewrite_sql() http://tinyurl.com/db-rewrite-sql

Need help or independent review?

• Contact our consultants at info@dynamiteheads.com
• Remember +44 (0) 203 1296 656 (UK)