10 Ways Drupal 8 Will Be More Secure /
Peter Wolanin
Drupal security model is inverted compared to Drupal 7. Text output in a template is escaped by default, unless it was previously escaped or marked safe
Text that has been escaped is encapsulated in a SafeString object. Beware legacy theme_ functions
<div id="<?php print $block_html_id; ?>" class="<?php print $classes; ?>"<?php print $attributes; ?>>
<?php print render($title_prefix); ?>
<?php if ($block->subject): ?>
<h2<?php print $title_attributes; ?>><?php print $block->subject ?></h2>
<?php endif;?>
<?php print render($title_suffix); ?>
<div class="content"<?php print $content_attributes; ?>>
<?php print $content ?>
</div>
</div>
<div{{ attributes }}>
{{ title_prefix }}
{% if label %}
<h2{{ title_attributes }}>{{ label }}</h2>
{% endif %}
{{ title_suffix }}
{% block content %}
{{ content }}
{% endblock %}
</div>
Local image input filter got invented to allow images on drupal.org
Ported to Drupal 8 for everyone
Session IDs hashed when stored. Storing only the hashed value prevents session hijacking if the session storage (e.g. database backup) is exposed.
Extra bonues - www. not stripped from session cookie name
Support for sessions that work both SSL and non-SSL (Secure Pages) removed. Encourages full SSL.
Will have to replace the session handling service if you really need this.
Routes can specify token protection for GET requests, instead of requiring hand coded protection using API functions.
entity.shortcut.link_delete_inline:
path: '/admin/config/user-interface/shortcut/link/{shortcut}/delete-inline'
defaults:
_controller: 'Drupal\shortcut\Controller\ShortcutController::deleteShortcutLinkInline'
requirements:
_entity_access: 'shortcut.delete'
_csrf_token: 'TRUE'
Easier way to block unexpected host names accessing Drupal (phishing, cache poisoining, etc)
Site status report will warn you if this is not set up
Requires PHP 5.5.21+ or 5.6.5+ for PDO MySQL change.
There is also a patch in progress to try to enforce this protection regardless of which specific database driver is being used
Drupal 8 sends the X-Frame-Options: SAMEORIGIN
header in all responses by default. (A small change, but one people notice)
Adding inline JS is no longer a supported part of the render system
Converted drupalSettings from JavaScript to JSON, to allow for CSP in the future