Skip to content

Policy Library

Acquia Cloud Site Factory

Name: Acquia:ACSF [View Source]
Package: drutiny/content
Class: \Drutiny\Audit\Drupal\ModuleEnabled

Ensure the Acquia Cloud Site Factory module is enabled.

Parameters

Name Type Description Default
module string The module to check is enabled. acsf

Acquia Agent

Name: Acquia:AgentEnabled [View Source]
Package: drutiny/content
Class: \Drutiny\Audit\Drupal\ModuleEnabled

Ensure the Acquia Agent module is enabled.

Parameters

Name Type Description Default
module string The module to check is enabled. acquia_agent

Acquia Application Information

Name: Acquia:AppInfo [View Source]
Package: drutiny/content
Class: \Drutiny\Acquia\Audit\AppInfo

Application Information

ACSF Deployment Workspace

Name: Acquia:CheckSiteFactoryWorkspace [View Source]
Package: drutiny/content
Class: \Drutiny\Acquia\Audit\AcsfDeployWorkspaceCleaned

A bug in the ACSF deployment process left codebases in the tmp directory which could lead to filesystem bloat and excessive inodes.

Cloud Edge Caching

Name: Acquia:CloudEdgeCaching [View Source]
Package: drutiny/content
Class: \Drutiny\Http\Audit\HttpHeaderMatch

When Cloudflare is successfully caching a page it will send out CF-Cache-Status headers with caching information for the page requested. The value should be HIT

Parameters

Name Type Description Default
header string The HTTP header to check the value of. cf-cache-status
header_value string The value to check against. HIT

Acquia Cloud Edge Purging Enabled

Name: Acquia:CloudEdgeNoPurge [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled

Acquia Cloud Edge CDN best practices recommend running a cache expiration of one minute or less at the edge. This is to ensure the edge keeps an accurate copy of page cache.

The Cloudflare purger module is only required when edge invalidation is required which is not the case for Acquia Cloud Edge best practice.

Parameters

Name Type Description Default
module string The module to check is enabled. cloudflarepurger

Acquia Connector

Name: Acquia:Connected [View Source]
Package: drutiny/content
Class: \Drutiny\Audit\Drupal\ModuleEnabled

Ensure the Acquia Connector module is enabled.

Parameters

Name Type Description Default
module string The module to check is enabled. acquia_connector

Custom Domains Registered

Name: Acquia:CustomDomains [View Source]
Package: drutiny/content
Class: \Drutiny\Acquia\Audit\CustomDomains

Ensure there is one or more custom domains registered with Acquia Cloud.

No Database Search Indexes for Drupal 7

Name: Acquia:Drupal7:NoDbSearch [View Source]
Package: drutiny/content
Class: \Drutiny\Acquia\Audit\SearchDB

By default Drupal can create full text search indexes in the database which can lead to performance problems on large sites.

Parameters

Name Type Description Default
module string The module to check is enabled. search_api_db

Less than 2,500 files per directory

Name: Acquia:FilesPerDirectory [View Source]
Package: drutiny/content
Class: Drutiny\Acquia\Audit\FilesPerDirectory

On Acquia Cloud, we have found that over 2,500 files in a single directory can seriously impact a server's performance and potentially its stability.

Parameters

Name Type Description Default
limit integer The limit of files per directory. 2500

Memcache module enabled

Name: Acquia:MemcacheEnabled [View Source]
Package: drutiny/content
Class: \Drutiny\Audit\Drupal\ModuleEnabled

You can use the Memcache module to move some common cache queries out of the database and into memory. Information held in memory will always be retrieved more quickly than information retrieved from a database query.

Memcached is available for all Acquia Cloud websites. See Using Memcached for information about how to use Memcached with an Acquia Cloud-hosted Drupal website.

Parameters

Name Type Description Default
module string The module to check is enabled. memcache

Acquia Production Mode

Name: Acquia:ProductionMode [View Source]
Package: drutiny/content
Class: \Drutiny\Acquia\Audit\EnvironmentAnalysis

Ensure Acquia production environment has Production Mode enabled.

Parameters

Name Type Description Default
expression 'environment["flags"]["production_mode"] === true'
not_applicable 'environment["flags"]["production"] === false

Acquia Purge Enabled

Name: Acquia:PurgeEnabled [View Source]
Package: drutiny/content
Class: \Drutiny\Audit\Drupal\ModuleEnabled

Acquia Purge modules allows updates in content to be reflected in page cache in realtime on the Acquia Platform. It does this by administering bans to the platform page caching service (Varnish).

Parameters

Name Type Description Default
module string The module to check is enabled. acquia_purge

Acquia Purge Plugin Exists

Name: Acquia:PurgePlugin [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\PurgePluginExists

Enabled purging of cached content on Acquia Cloud by adding it as a purge plugin.

Parameters

Name Type Description Default
plugin string The plugins to check exists acquia_purge

Acquia SPI

Name: Acquia:SPIEnabled [View Source]
Package: drutiny/content
Class: \Drutiny\Audit\Drupal\ModuleEnabled

Ensure the Acquia SPI module is enabled.

Parameters

Name Type Description Default
module string The module to check is enabled. acquia_spi

Secured Domains

Name: Acquia:SecureDomains [View Source]
Package: drutiny/content
Class: \Drutiny\Acquia\Audit\SecureDomains

SSL enables your web application to use the HTTPS secure web protocol to safely communicate with your users online. To use SSL, your environment must have an SSL certificate, which you must purchase from a Certificate Authority (CA) or SSL certificate vendor and upload to Acquia Cloud.

ACSF Drupal Theme Directory Size

Name: Acquia:SiteFactory:DrupalThemeDirectory [View Source]
Package: drutiny/content
Class: Drutiny\Audit\Filesystem\FsSize

Large theme directories can be indicative of best practice violations: * Source files in site artifact. e.g. node_modules * Media assets unsuitable for web delivery

Parameters

Name Type Description Default
max_size integer The maximum size in MegaBytes a directory should be. 50
path string The path of the directory to check for size. '%root/%themes/site/'

Acquia Cloud Site Factory Pingdom

Name: Acquia:SiteFactory:Pingdom [View Source]
Package: drutiny/content
Class: \Drutiny\Audit\Drupal\ModuleEnabled

Ensure the Acquia Cloud Site Factory Pingdom module is enabled.

Parameters

Name Type Description Default
module string The module to check is enabled. acsf_pingdom

Acquia Search Auto Switch (D7)

Name: Acquia:SiteFactory:SearchAutoSwitch [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\VariableCompare

Using Site Factory and Acquia Search, the auto core selector needs to be disabled in order to work.

Parameters

Name Type Description Default
key string The name of the variable to compare. acquia_search_disable_auto_switch
value mixed The value to compare against 1

Acquia Cloud Site Factory Theme

Name: Acquia:SiteFactory:ThemeEnabled [View Source]
Package: drutiny/content
Class: \Drutiny\Audit\Drupal\ModuleEnabled

Ensure the Acquia Cloud Site Factory Theme module is enabled.

Parameters

Name Type Description Default
module string The module to check is enabled. acsf_theme

Acquia Cloud Site Factory Variables

Name: Acquia:SiteFactory:Variables [View Source]
Package: drutiny/content
Class: \Drutiny\Audit\Drupal\ModuleEnabled

Ensure the Acquia Cloud Site Factory Variables module is enabled.

Parameters

Name Type Description Default
module string The module to check is enabled. acsf_variables

Drupal Theme Path References

Name: Acquia:SiteFactoryDefaultThemePath [View Source]
Package: drutiny/content
Class: Drutiny\Audit\Filesystem\CodeScan

Ensure there are no hard coded references to the default theme path in the deployed theme as this can and will cause a lot of HTTP 404s.

Parameters

Name Type Description Default
directory string Absolute filepath to directory to scan '%root/%themes/site/'
whitelist array Whitelist patterns which the 'patterns' parameter may yield false positives from - .md
- .txt
- .svg
patterns array patterns to run over each matching file. - sites\/all\/themes\/

Acquia Cloud Site Factory Duplication

Name: Acquia:SiteFactoryDuplication [View Source]
Package: drutiny/content
Class: \Drutiny\Audit\Drupal\ModuleEnabled

Ensure the Acquia Cloud Site Factory Duplication module is enabled.

Parameters

Name Type Description Default
module string The module to check is enabled. acsf_duplication

Acquia Cloud Site Factory OpenID

Name: Acquia:SiteFactoryOpenID [View Source]
Package: drutiny/content
Class: \Drutiny\Audit\Drupal\ModuleEnabled

Ensure the Acquia Cloud Site Factory OpenID module is enabled.

Parameters

Name Type Description Default
module string The module to check is enabled. acsf_openid

Serving files from production on development environments

Name: Acquia:StageFileProxy [View Source]
Package: drutiny/content
Class: \Drutiny\Audit\Drupal\ModuleEnabled

Development and staging servers may have less disk space allocated to them than a production server. When you are copying files from your production server back to staging or development, you can quickly fill up your disk space. It's possible to use the files on the production server for your staging site without copying them by using Stage File Proxy module.

Using the Stage File Proxy module enables a development server to maintain a clean files directory and use files from an alternate source by directly referencing that alternate source. An additional option within the module allows the file system on the development server to be seeded with files from the production server.

Parameters

Name Type Description Default
module string The module to check is enabled. stage_file_proxy

.htaccess redirects

Name: Apache:LimitHtacessRedirects [View Source]
Package: drutiny/content
Class: \Drutiny\Audit\Apache\HtaccessRedirects

When there are a large number of redirects in the .htaccess file they are all required to be loaded at run time during every request as Apache needs to analyze the contents so that it can make appropriate decisions about how to process the application and incoming requests. Redirect rules should be refactored to take advantage of regular expressions if possible. Otherwise the redirect module should be added to the site and all of the redirects in the .htaccess file should be moved into the Drupal site. Although these redirects will then require a Drupal bootstrap in order to fulfill the request, Varnish will be able to cache the redirect once it has been made once as long as there is a maximum age set on the site.

Parameters

Name Type Description Default
max_redirects integer The maximum number of redirects to allow in htaccess. 10

Database fulltext indexing

Name: Database:Fulltext [View Source]
Package: drutiny/content
Class: Drutiny\Audit\Drupal\SqlResultAudit

Tables with FULLTEXT indexes cannot currently be converted to InnoDB (a solution for this is in development for MySQL 5.6). Queries involving these tables with FULLTEXT indexing could lead to performance problems.

Parameters

Name Type Description Default
query string The SQL query to run. Can use other parameters for variable replacement. "SELECT DISTINCT table_name FROM information_schema.statistics\nWHERE index_type = 'FULLTEXT'\nAND table_schema = ':db-name'\n"
expression string An expression language expression to evaluate a successful auditable outcome. 'count == 0'

Database size

Name: Database:Size [View Source]
Package: drutiny/content
Class: \Drutiny\Audit\Database\DatabaseSize

Large databases can negatively impact your production site, and slow down things like database dumps. The size reported is the data and index size combined.

Parameters

Name Type Description Default
max_size integer The maximum size in megabytes the database should be. 1000
warning_size integer The size in megabytes this check will issues a warning at. 800

BlackList Permissions

Name: Drupal-7:BlackListPermissions [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\BlacklistPermissions

Checks to ensure roles do not contain blacklisted permissions.

Parameters

Name Type Description Default
permissions array An array of permissions to ensure are not available to non-administrator
roles
- 'administer site configuration'

CSS Aggregation

Name: Drupal-7:CSSAggregation [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\VariableCompare

With CSS optimization disabled, your website visitors are experiencing slower page performance and the server load is increased.

Parameters

Name Type Description Default
key string The name of the variable to check. preprocess_css
value boolean The value of the variable 1

Application Page Cache

Name: Drupal-7:CacheLifetime [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\VariableCompare

The minimum cache lifetime prevents Drupal from clearing page and block caches after changes are made to nodes or blocks, for a set period of time. This can cause unexpected behavior when editing content or when an external cache such as a CDN or Varnish is employed.

Parameters

Name Type Description Default
key string The name of the variable to check. cache_lifetime
value boolean The value of the variable 0

Cron running regularly

Name: Drupal-7:CronLast [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\CronLast

Making sure the cron jobs are running properly is key to a healthy Drupal site.

Database logging disabled

Name: Drupal-7:DblogModuleDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled

The database logging module logs Drupal's watchdog logs into the Drupal database. This works fine in development but can cause performance issues for production websites. Its recommended to disabled this module in production.

Parameters

Name Type Description Default
module string The name of the module to ensure is disabled. dblog

Devel module is not installed

Name: Drupal-7:DevelDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled

A suite of modules containing fun for module developers and themers. Not recommended for production use.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. devel

Error Level

Name: Drupal-7:ErrorLevel [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\VariableCompare

When PHP encounters an error, it can generate an error log and display a report on the screen. While these error messages can be helpful in debugging your site, they can be a security risk on a live site as they may reveal information about your server that can be used to compromise it. site becoming unavailable or unresponsive.

Parameters

Name Type Description Default
key string The name of the variable to check. error_level
value boolean The value of the variable 0

Image Derivatives

Name: Drupal-7:ImageDerivatives [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\VariableCompare

Drupal core's Image module allows for the on-demand generation of image derivatives. This capability can be abused by requesting a large number of new derivatives which can fill up the server disk space, and which can cause a very high CPU load. Either of these effects may lead to the site becoming unavailable or unresponsive.

Parameters

Name Type Description Default
key string The name of the variable to check. image_allow_insecure_derivatives
value boolean The value of the variable 0
default boolean The default value of the variable 0

Installation Complete

Name: Drupal-7:InstallTaskCompleted [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\VariableCompare

If you fail to set this variable correctly, it can leave your install.php script open to the general public.

Parameters

Name Type Description Default
key string The name of the variable to check. install_task
value mixed The value of the variable done

Js Aggregation

Name: Drupal-7:JsAggregation [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\VariableCompare

With JS optimization disabled, your website visitors are experiencing slower page performance and the server load is increased.

Parameters

Name Type Description Default
key string The name of the variable to check. preprocess_js
value boolean The value of the variable 1

Missing modules

Name: Drupal-7:MissingModules [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\MissingModules

The warning was introduced in Drupal 7.50 and is displayed when Drupal is attempting to find a module or theme in the file system, but either cannot find it or does not find it in the expected place.

Modules enabled

Name: Drupal-7:ModulesEnabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModulesEnabled

Check that a set of modules are enabled.

Parameters

Name Type Description Default
modules array The name of the modules to ensure is enabled. - syslog

No Administrators

Name: Drupal-7:NoAdmins [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\NoAdministrators

Ensure there are no administrators beyond uid:1. This reduces the surface area of escalated accounts being compromised.

Backup and Migrate is not installed

Name: Drupal-7:NoBackupAndMigrate [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled

With Backup and Migrate you can dump some or all of your database tables to a file download or save to a file on the server or offsite, and to restore from an uploaded or previously saved database dump. You can choose which tables and what data to backup and cache data is excluded by default. It is not advised to use this module in production if there are alternative options to obtain the same ends.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. backup_migrate

Duplicate modules

Name: Drupal-7:NoDuplicateModules [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\DuplicateModules

Duplicate modules can cause a variety of strange behaviors should Drupal ever unexpectedly load the wrong version.

No Page Compression

Name: Drupal-7:NoPageCompression [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\VariableCompare

Drupal's Compress cached pages option (page_compression) can cause unexpected behavior when an external cache such as Varnish is employed, and typically provides no benefit. Therefore, Compress cached pages should be disabled

Parameters

Name Type Description Default
key string The name of the variable to check. page_compression
value boolean The value of the variable 0

Overlay module disabled

Name: Drupal-7:OverlayModuleDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled

The Drupal core overlay module can cause usability issues and prove to be problematic from a support perspective. It is recommended not to use this module.

Parameters

Name Type Description Default
module string The name of the module to ensure is disabled. overlay

PSA-2016-003: Scan webform files for anon PDF uploads

Name: Drupal-7:PSA-2016-003 [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\Security\WebformPSA_2016_003

This issue only affects sites that allow file uploads by non-trusted or anonymous visitors, and stores those uploads in a public file system. For more information, visit https://www.drupal.org/forum/newsletters/security-public-service-announcements/2016-10-10/drupal-file-upload-by-anonymous

Page Cache Control Max Age

Name: Drupal-7:PageCacheMaximumAge [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\VariableCompare

Ensure you page cache expiry is set to an optimal level for best performance.

Parameters

Name Type Description Default
key string The name of the variable to check. page_cache_maximum_age
value boolean The value of the variable 300
comp_type string The comparison operator to use gte

PHP

Name: Drupal-7:PhpModuleDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled

Enabling this module can cause security and performance issues as it allows users to execute PHP code on your site. There are better alternatives out there that do not expose such vulnerabilities on your site.

Parameters

Name Type Description Default
module string The name of the module to ensure is disabled. php

Poor Mans Cron Disabled

Name: Drupal-7:PoorMansCronDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\VariableCompare

Checks that poor mans cron is disabled and will never run with a web thread.

Parameters

Name Type Description Default
key string The name of the variable to check. cron_safe_threshold
value boolean The value of the variable 0

CSS Aggregation

Name: Drupal-7:SA-CORE-2013-003 [View Source]
Package: drutiny/content
Class: \Drutiny\Audit\Drupal\ModuleVersion

SA-CORE-2013-003 announed several vulnerabilities and is considered highly critical. The vulnerabilities are:

  • Multiple vulnerabilities due to optimistic cross-site request forgery protection (Form API validation): CVE-2013-6385
  • Multiple vulnerabilities due to weakness in pseudorandom number generation using mt_rand() (Form API, OpenID and random password generation - Drupal 6 and 7): CVE-2013-6386
  • Code execution prevention (Files directory .htaccess for Apache - Drupal 6 and 7): No CVE; considered remediated through "security hardening"
  • Access bypass (Security token validation - Drupal 6 and 7): No CVE; considered remediated through "security hardening."
  • Cross-site scripting (Image module - Drupal 7): CVE-2013-6387
  • Cross-site scripting (Color module - Drupal 7): CVE-2013-6388
  • Open redirect (Overlay module - Drupal 7): CVE-2013-6389

For more information, see SA-CORE-2013-003.

Parameters

Name Type Description Default
module string The module to version information for system
version string The static version to check against. 7.24

Search404 module disabled

Name: Drupal-7:Search404ModuleDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled

The search 404 module conducts searches on 404 pages. This can have impacts to performance and confuse search bots.

Parameters

Name Type Description Default
module string The name of the module to ensure is disabled. search404

Search API Database

Name: Drupal-7:SearchApiDb [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\SearchApiDb

Search backed with the database (and not Solr) can cause performance impacts to your site. Often the SQL queries caused but using the database are slow.

Parameters

Name Type Description Default
max_size integer The maximum size of nodes in the index before it is considered an error.
50

Secure Pages: HTTP Redirect

Name: Drupal-7:SecureHTTPRedirect [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\VariableCompare

Ensure secure pages module is configured to force redirect to HTTPS.

Parameters

Name Type Description Default
key string The name of the variable to check. securepages_pages
value string The value of the variable '*'

Secure Pages Config: Enabled

Name: Drupal-7:SecurePagesConfig:Enabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\VariableCompare

To start using secure pages this setting must be enabled. This setting will only be able to changed when the web server has been configured for SSL.

Parameters

Name Type Description Default
key string The name of the variable to check. securepages_enable
value boolean The value of the variable 1

Secure Pages Config: No Downgrade

Name: Drupal-7:SecurePagesConfig:NoDowngrade [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\VariableCompare

Secure pages shouldn't be configured to allow downgrade to HTTP.

Parameters

Name Type Description Default
key string The name of the variable to check. securepages_switch
value boolean The value of the variable 0

Secure Pages Enabled

Name: Drupal-7:SecurePagesEnabled [View Source]
Package: drutiny/content
Class: \Drutiny\Audit\Drupal\ModuleEnabled

Secure Pages module ensures requests are handled securely.

Parameters

Name Type Description Default
module string The name of the module to ensure is enabled. securepages

Secure Pages Listed

Name: Drupal-7:SecurePagesListed [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\VariableCompare

Enusre Secure Pages is configured to secure a whitelist of pages.

Parameters

Name Type Description Default
key string The name of the variable to check. securepages_secure
value boolean The value of the variable 1

Shield Disabled

Name: Drupal-7:ShieldModuleDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled

The shield module protects Drupal sites from prying eyes, often it is used to protect sites that are not yet live, but should never be enabled for live sites.

Parameters

Name Type Description Default
module string The name of the module to ensure is disabled. shield

Simpletest

Name: Drupal-7:SimpletestModuleDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled

The Simpletest module is for testing purposes only and shouldn't be enabled in production.

Parameters

Name Type Description Default
module string The name of the module to ensure is disabled. simpletest

Statistics

Name: Drupal-7:StatisticsModuleDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled

This module comes with Drupal core and attempts to track page view information. However as often Drupal uses upstream page cache proxies this module is often inccurate and not worth the performance impact it causes.

Parameters

Name Type Description Default
module string The name of the module to ensure is disabled. statistics

Untrusted Roles with administrative permissions

Name: Drupal-7:UntrustedRoles [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\UntrustedRoles

Make sure administrative permissions has not been assigned to untrusted roles.

Parameters

Name Type Description Default
untrusted_roles array The names of untrusted Roles. - 'anonymous user'
- 'authenticated user'

Update

Name: Drupal-7:UpdateModuleDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled

The update module fetches the latest module information from Drupal.org and reports on the module statuses used on the site.

Parameters

Name Type Description Default
module string The name of the module to ensure is disabled. update

User #1 Locked Down

Name: Drupal-7:User1LockDown [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\User1

It is important to lock down user #1 in Drupal, this user is special an ignores access control.

Parameters

Name Type Description Default
blacklist string The usernames of the the uid:1 user that are considered forbidden.
Expression maybe a regular expression to match patterns.
(admin root drupal
email string The email that the uid:1 user should have. If an empty string is provided
then this check is omitted.
no_reply@example.com
status boolean Ensures the uid:1 user status reflects the same as this argument. Defaults
to active (1).
1

User Registration Disabled

Name: Drupal-7:UserRegistrationDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\VariableCompare

Anonymous sites should have user registration set to off to prevent spam registrations.

Parameters

Name Type Description Default
key string The name of the variable to check. user_register
value boolean The value of the variable 0

Views Cache

Name: Drupal-7:ViewsCache [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ViewsCache

Ensure views cache is enabled and configured

Views Pagination

Name: Drupal-7:ViewsPagination [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ViewsPagination

Ensure views pagination is not over a threshold

Parameters

Name Type Description Default
limit integer The maximum number of rows a view can list 60

Views SQL Signature

Name: Drupal-7:ViewsSqlSignature [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\VariableCompare

Ensure that Views SQL queries contain a signature that will identify the view the SQL query came from. Useful for database performance debugging.

Parameters

Name Type Description Default
key string The name of the variable to check. views_sql_signature
value boolean The value of the variable 1

Views UI module is not installed

Name: Drupal-7:ViewsUIDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled

This module can impose a small performance penalty when enabled, and can allow the essential views required by your website to be modified.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. views_ui

XML sitemap base URL

Name: Drupal-7:XMLSitemapBaseURL [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\VariableCompare

The XML sitemap module adds a sitemap on the URL /sitemap.xml. If not properly configured, the sitemap will point to an incorrect or possibly broken site.

Parameters

Name Type Description Default
key string The name of the variable to compare. xmlsitemap_base_url
value mixed The value to compare against '^https?://.+$'
comp_type string The comparison operator to use regex
required_modules array An optional array of modules required in order to check variables xmlsitemap

Zen rebuild registry disabled

Name: Drupal-7:ZenRegistryRebuild [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ZenRebuildRegistry

The rebuild registry feature is enabled for your theme. This setting is only used during theme development, and can negatively impact site performance.

APC is not installed

Name: Drupal-7:acquiaAPCDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled

Alternative PHP cache is not recommended on Acquia Cloud. It stores data on a per-server basis, which can lead to different data being served by different servers. It also uses memory that would otherwise be used by OPcache. We recommend using Memcachedinstead. It is recommended to disable and uninstall this module.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. apc

Adaptive Image is not installed

Name: Drupal-7:acquiaAdaptiveImageDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled

Exercise some care when using this module because it may have issues storing image derivatives when caching is turned on. When this module is in use, users who visit a page directly after a cache clear will set the image size for that page and that image size is used for all visitors, regardless of what their browser is.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. adaptive_image

Apache Solr File is not installed

Name: Drupal-7:acquiaApacheSolrFileDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled

Customers are unable to modify the solrconfig.xml file on Acquia Cloud. It is recommended to disable and uninstall this module.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. apachesolr_file

Authcache is not installed

Name: Drupal-7:acquiaAuthcacheDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled

This requires an evaluation of performance issues versus application complexity. Caching pages or blocks is often a better option. This module can significantly increase the size of your page cache.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. authcache

AutoSlave is not installed

Name: Drupal-7:acquiaAutoSlaveDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled

The Acquia Cloud platform is configured to auto-detect the primary and subordinate servers and handle failover situations. This module hardcodes the settings and can cause your server to read or write to the incorrect database. It is recommended to disable and uninstall this module.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. autoslave

Bean is not installed

Name: Drupal-7:acquiaBeanDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled

Specifically, we recommend against the use of bean_entitycache. When combined with the Memcache module, its behavior is unpredictable, and its use can have a negative performance impact on your application.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. bean

Boost is not installed

Name: Drupal-7:acquiaBoostDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled

This creates many disk writes, which can cause problems on shared servers. See Boost and Acquia Cloud for more details. It is recommended to disable and uninstall this module.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. boost

CAS is not installed

Name: Drupal-7:acquiaCASDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled

Check the Check with the CAS server to see if the user is already logged in setting. This requires session cookies to be set, preventing Varnish® from caching pages. We suggest Bakery or SimpleSAML as an alternative.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. cas

CloudFlare Purge is not installed

Name: Drupal-7:acquiaCFPurgeDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled

This module includes API limits that may prevent users from viewing updated content on your website. Instead, Acquia recommends the use of Acquia Purge. It is recommended to disable and uninstall this module.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. cfpurge

CiviCRM is not installed

Name: Drupal-7:acquiaCiviCRMDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled

CiviCRM is dependent on stored procedures and triggers that do not work on the Acquia Cloud platform. It is recommended to disable and uninstall this module.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. civicrm

Configuration Management is not installed

Name: Drupal-7:acquiaConfigMgmtDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled

This module requires a writeable directory that is also trackable at the same time by Git; this is not currently possible on Acquia Cloud. It is recommended to disable and uninstall this module.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. configuration

Contact Importer is not installed

Name: Drupal-7:acquiaContactImporterDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled

Issue due to its reliance on Open Inviter. Create a symlink to your private files area.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. contact_importer

DB Maintenance is not installed

Name: Drupal-7:acquiaDBMaintenanceDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled

Using this module improperly can potentially cause slowdowns or outages. If you believe that your application has tables that need optimizing, open a ticket with Acquia Support.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. db_maintenance

Devinci is not installed

Name: Drupal-7:acquiaDevinciDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled

This module does not include settings for the Acquia Remote Administration environment.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. devinci

Elysia Cron is not installed

Name: Drupal-7:acquiaElysiaCronDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled

Elysia Cron requires careful setup. Acquia Support has seen implementations of this module that call some hooks too frequently, causing performance problems significant enough to take a production application down.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. elysia_cron

Filefield Sources is not installed

Name: Drupal-7:acquiaFilefieldSourcesDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled

Using this module on Acquia Cloud causes issues with Acquia Remote Administration services. If you are using this module, it conflicts with the Stage File proxy module, and you will not be able to see images on your RA environment.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. filefield_sources

HTML Purifier is not installed

Name: Drupal-7:acquiaHTMLPurifierDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled

Create a symlink to your private files area.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. htmlpurifier

HTTPRL is not installed

Name: Drupal-7:acquiaHTTPRLDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled

May require some special configuration to use on Acquia Cloud, or it can generate errors.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. httprl

Lightweight Directory Access Protocol (LDAP) is not installed

Name: Drupal-7:acquiaLDAPDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled

LDAP alone without SSO can work on Acquia Cloud. SSO requires NTLM (NT LAN Manager) support, which is an Apache module that Acquia does not currently support.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. ldap

Name: Drupal-7:acquiaLinkCheckerDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled

The Link Checker module can sometime cause timeouts when cron is run.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. linkchecker

Node view count is not installed

Name: Drupal-7:acquiaNodeViewCountDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled

This statistics module can be configured to count each node visit, which can trigger multiple database writes. This behavior can cause serious performance issues with the database-use caution when configuring this on high traffic websites.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. nodeviewcount

Optimize DB is not installed

Name: Drupal-7:acquiaOptimizeDBDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled

Using this module improperly can potentially cause slowdowns or outages. If you feel your site has tables that need optimizing, contact Acquia Support.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. optimizedb

Name: Drupal-7:acquiaPrintDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled

If not properly secured, this module can open up your application to being abused as a spam relay. If you use this module, be sure to configure it so that anonymous users cannot send email.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. print

Redirect 403 to User Login is not installed

Name: Drupal-7:acquiaR4032LoginDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled

This may cause issues with anonymous session cookies. Disable the Access denied. You must log in to view this page. check box in the module settings.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. r4032login

Radioactivity is not installed

Name: Drupal-7:acquiaRadioactivityDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled

This module requires that memcache servers be hardcoded in a separate configuration file, which directly conflicts with Acquia’s high availability services. Acquia’s platform dynamically modifies available memcache servers, and hardcoded servers can cause application outages.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. radioactivity

Search 404 is not installed

Name: Drupal-7:acquiaSearch404Disabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled

This useful module triggers a search when a user lands on a 404 page. This is best used with Fast 404 to prevent missing files from also triggering a search.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. search404

Serial is not installed

Name: Drupal-7:acquiaSerialDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled

Serial is based on an auto_increment of 1. Acquia Cloud uses an auto_increment of five. It is recommended to disable and uninstall this module.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. serial

Shibboleth Authentication is not installed

Name: Drupal-7:acquiaShibAuthDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled

Shibboleth is not supported on Acquia Cloud. Other methods of achieving this functionality are SimpleSAMLphp or LDAP. It is recommended to disable and uninstall this module.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. shib_auth

TCPDF is not installed

Name: Drupal-7:acquiaTCPDFDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled

Create a symlink to your private files area.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. tcpdf

Varnish Module is not installed

Name: Drupal-7:acquiaVarnishModuleDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled

This Drupal module attempts to replicate the effort of the Varnish Cache that is already available to Acquia Cloud applications. It will not work with Acquia Cloud applications because it requires connections to the load balancers, which Acquia does not provide. The Varnish caching provided by Acquia works out of the box, as long as you use caching.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. varnish

WURFL is not installed

Name: Drupal-7:acquiaWURFLDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled

Create a symlink to your private files area.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. wurfl

WYSIWYG CKFinder is not installed

Name: Drupal-7:acquiaWYSIWYGCKFinderDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled

Create a symlink to your private files area.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. wysiwyg_ckfinder

Workbench Moderation is not installed

Name: Drupal-7:acquiaWorkbenchModerationDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled

This module does not work out of the box with ApacheSolr search integration. Learn more about problems and a solution.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. workbench_moderation

Block Cache Alter is not installed

Name: Drupal-7:blockcacheAlterDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled

This module causes issues with caching, and has not been updated in several years. It is not recommended for use. It is recommended to disable and uninstall this module.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. blockcache_alter

EntityReference Autocomplete Performance

Name: Drupal-7:entityreference [View Source]
Package: drutiny/content
Class: Drutiny\Plugin\Drupal7\Audit\EntityReferenceAutocomplete

Ensure that entity reference fields are configured correctly.

Facebook Connect is not installed

Name: Drupal-7:fbconnectDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled

Require session cookies to be set, preventing Varnish from caching pages. It is recommended to disable and uninstall this module.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. fbconnect

File Cache with Gluster is not installed

Name: Drupal-7:fileCacheGlusterDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled

The File Cache module moves caching to Gluster, which can cause major load on the Gluster file system and can cause the site (or multiple sites in the case of shared hosting) to go down. It is recommended to disable and uninstall this module.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. filecache

Views Global Filter is not installed

Name: Drupal-7:globalFilterDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled

Sets session cookies to filter views, which prevents Varnish from caching pages. It is recommended to disable and uninstall this module.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. global_filter

H5P is not installed

Name: Drupal-7:h5pDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled

The H5P module sets session cookies for anonymous visitors utilizing pages that contain H5P elements. This results in all future requests for those anonymous users to bypass Varnish caching. It is recommended to disable and uninstall this module.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. h5p

IP Geolocation is not installed

Name: Drupal-7:ipGeolocDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled

Require session cookies to be set, preventing Varnish from caching pages. It is recommended to disable and uninstall this module.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. ip_geoloc

Memcache Storage is not installed

Name: Drupal-7:memcacheStorageDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled

Although not incompatible, it is discouraged to use this module’s due to its developer’s limited updates. Instead, encourage the use of the Memcache API and Integration module. It is recommended to disable and uninstall this module.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. memcache_storage

Purge Module is not installed

Name: Drupal-7:purgeDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled

The Purge (7.x-1.x) module is not specifically incompatible, but can be difficult to set up correctly. We suggest using Acquia Purge instead. It is specifically intended for use on Acquia Cloud. Over time, these modules are planned to merge. It is recommended to disable and uninstall this module.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. purge

reCAPTCHA is not installed

Name: Drupal-7:recaptchaDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled

The reCAPTCHA module requires session cookies to be set. This functionality prevents Varnish from caching pages. It is recommended to disable and uninstall this module.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. recaptcha

Role Memory Limit is not installed

Name: Drupal-7:roleMemoryLimitDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled

This module overrides memory limits set in settings.php. It is recommended to disable and uninstall this module.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. role_memory_limit

Session API is not installed

Name: Drupal-7:sessionAPIDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled

Requires session cookies to be set, preventing Varnish from caching pages. Session API sets cookies on the user. Because of this, cron can run intense queries to join the session and session_api tables. This can cause major slowdowns. It is recommended to disable and uninstall this module.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. session_api

Session Cache API is not installed

Name: Drupal-7:sessionCacheDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled

This module is generally incompatible with Varnish caching. It may also cause file system performance issues. It is recommended to disable and uninstall this module.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. session_cache

Smart IP is not installed

Name: Drupal-7:smartIPDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled

This module can be configured to set session cookies for anonymous users, making it incompatible with Varnish. It is recommended to disable and uninstall this module.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. smart_ip

Name: Drupal-7:supercookieDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled

Stores sessions outside of the session table, and sets no cache headers. This module is also incompatible with Varnish. It is recommended to disable and uninstall this module.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. supercookie

TB Mega Menu is not installed

Name: Drupal-7:tbMegaMenuDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled

This module can cause performance problems for your website and is not covered by Drupal’s security policy. If it must be used, patch the module to reduce calls made to your website’s database. It is recommended to disable and uninstall this module.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. tb_megamenu

Text Size is not installed

Name: Drupal-7:textSizeDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled

This module requires session cookies to be set, preventing Varnish from caching pages. It is recommended to disable and uninstall this module.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. textsize

Views Filter Harmonizer is not installed

Name: Drupal-7:viewsFilterHarmonizerDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled

This module sets a SESSION cookie, preventing Varnish caching. It is recommended to disable and uninstall this module.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. filter_harmonizer

Configuration development module is not installed

Name: Drupal-8:ConfigDevelDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled

This module helps with developing configuration. Do not deploy in production environments. Exercise caution and always use version control.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. config_devel

Content Owned By Drupal's Anonymous User

Name: Drupal-8:ContentOwnedByAnonymous [View Source]
Package: drutiny/content
Class: Drutiny\Audit\Drupal\SqlResultAudit

Content owned by a user that is not expected can pose a security risk whereby untrusted users might be able to include malicious code in content. If the unexpected user is "Anonymous", this could mean any site visitor could present a risk if they entered malicious code into content. This policy identifies if there are nodes owned by Drupal's Anonymous User.

Parameters

Name Type Description Default
query string The SQL query to run. Can use other parameters for variable replacement. 'SELECT COUNT(*) as frequency, type FROM node_field_data WHERE uid = 0 GROUP BY TYPE;'
expression string An expression language expression to evaluate a successful auditable outcome. 'count < 1'

Cron last run

Name: Drupal-8:CronHasRun [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\CronHasRun

Cron should be run regularly to ensure that scheduled events are processed in a timely manner.

Parameters

Name Type Description Default
cron_max_interval integer The maximum number in seconds alloweds since last cron run 86400

Cron running regularly

Name: Drupal-8:CronLast [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\CronLast

Making sure the cron jobs are running properly is key to a healthy Drupal site.

CSS aggregation is enabled

Name: Drupal-8:CssAggregation [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ConfigCheck

With CSS optimization not installed your website visitors are experiencing slower page performance and the server load is increased.

Parameters

Name Type Description Default
collection string The config collection the config item belows to system.performance
key string css.preprocess
value boolean true

Database logging is not installed

Name: Drupal-8:DblogDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled

The Drupal core databse logging module can cause database performance issues in production. It is recommended to disable and uninstall this module. Use the syslog module in its place.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. dblog

Memcache set as default cache backend

Name: Drupal-8:DefaultCacheMemcache [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\SettingCompare

Ensure the majority of your application caching is driven through Memcache by setting it as the default backend (usually opposed to using the database).

Memcache is a better service for cache storage over the database as it decouples cache performance from database load. This means slow queries will not impact cache performance (beyond any shared resourcing between the services).

Parameters

Name Type Description Default
key string The key in settings.php to check. Use dot syntax to traverse settings array.
cache.default
value string The value that should be set if the settings key exists.
cache.backend.memcache

Devel module is not installed

Name: Drupal-8:DevelDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled

A suite of modules containing fun for module developers and themers. Not recommended for production use.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. devel

No duplicate modules found

Name: Drupal-8:DuplicateModules [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\DuplicateModules

Duplicate modules can cause a variety of strange behaviors should Drupal ever unexpectedly load the wrong version.

Hide errors from screen (log only)

Name: Drupal-8:ErrorLevel [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ConfigCheck

When PHP encounters an error, it can generate an error log and display a report on the screen. While these error messages can be helpful in debugging your site, they can be a security risk on a live site as they may reveal information about your server that can be used to compromise it.

Parameters

Name Type Description Default
collection string The collection the config belongs to. system.logging
key string The key the config belongs to. error_level
value mixed The value to compare against the retrived value. hide

Core Fast 404 Enabled

Name: Drupal-8:Fast404Enabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ConfigCheck

Core's fast 404 configuration allows Drupal to spend little time on 404 error pages that match the Fast 404 criteria.

Parameters

Name Type Description Default
collection string The collection the config belongs to. system.performance
key string The key the config belongs to. fast_404.enabled
value mixed The value to compare against the retrived value. true

Javascript aggregation

Name: Drupal-8:JsAggregation [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ConfigCheck

With Javascript aggregation not installed your website visitors are experiencing slower page performance especially on slower networks.

Parameters

Name Type Description Default
collection string The collection the config belongs to. system.performance
key string The key the config belongs to. js.preprocess
value mixed The value to compare against the retrived value. true

Kint module is not installed

Name: Drupal-8:KintDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled

Kint for PHP is a tool designed to present your debugging data in the absolutely best way possible. In other words, it's var_dump() and debug_backtrace() on steroids. Easy to use, but powerful and customizable. An essential addition to your development toolbox. Should not be used in production.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. kint

Memcache module enabled

Name: Drupal-8:MemcacheEnabled [View Source]
Package: drutiny/content
Class: \Drutiny\Audit\Drupal\ModuleEnabled

This module provides integration between Drupal and Memcached with the following features:

  • An API for using Memcached and the PECL Memcache or Memcached libraries with Drupal.
  • Memcache backends for the following systems (all drop-in): Caching Locking
  • A module that provides a comprehensive administrative overview of Drupal's interaction with Memcached and stats.

Parameters

Name Type Description Default
module string The name of the module to ensure is enabled. memcache

Memcache extension set

Name: Drupal-8:MemcachedExtension [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\SettingCompare

In order for the memcache module to work, the php memcached extension must be available on the runtime environment. In addition, when using PHP 5.6, Drupal must tell the memcache module to use the memcached extension (opposed to the memcache extension).

Parameters

Name Type Description Default
key string The key in settings.php to check. Use dot syntax to traverse settings array.
memcache.extension
value string The value that should be set if the settings key exists.
Memcached

Automated Cron module is not installed

Name: Drupal-8:NoAutomatedCron [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled

The automated cron module will hijack page requests in order to run cron. This has a performance impact for end users who are unlucky being burdened with the task without consent and unknowingly.

Parameters

Name Type Description Default
module string The module to check is enabled. automated_cron

Backup and Migrate is not installed

Name: Drupal-8:NoBackupAndMigrate [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled

With Backup and Migrate you can dump some or all of your database tables to a file download or save to a file on the server or offsite, and to restore from an uploaded or previously saved database dump. You can choose which tables and what data to backup and cache data is excluded by default. It is not advised to use this module in production if there are alternative options to obtain the same ends.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. backup_migrate

No Experimental Modules in Use

Name: Drupal-8:NoExperimental [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\NoExperimentalCore

Drupal 8 core introduces the concept of experimental modules. These are modules that are provided with Drupal core for testing purposes, but that are not yet fully supported. Experimental modules are included in the Core (Experimental) package on the Extend page of a Drupal site (/admin/modules).

More information at https://www.drupal.org/core/experimental

Drupal Page cache expiry is set

Name: Drupal-8:PageCacheExpiry [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ConfigCheck

Page cache expiry informs upstream proxies such as Varnish and CDNs how long they may cache a page response before it should be considered stale and refetched from Drupal.

Parameters

Name Type Description Default
collection string The collection the config belongs to. system.performance
key string The key the config belongs to. cache.page.max_age
value integer The number of seconds page cache should be considered valid for. 3600
comp_type string The type of comparison to conduct. Defaults to equals. See Drutiny\Audit\AbstractComparison '>='

PHP module is not installed

Name: Drupal-8:PhpDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled

Enabling this module can cause security and performance issues as it allows users to execute PHP code on your site. There are better alternatives out there that do not expose such vulnerabilities on your site.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. php

Purge module enabled

Name: Drupal-8:PurgeEnabled [View Source]
Package: drutiny/content
Class: \Drutiny\Audit\Drupal\ModuleEnabled

Purge modules integrates other services into Drupal's caching strategy

Parameters

Name Type Description Default
module string The name of the module to ensure is enabled. purge

Shield module is not installed

Name: Drupal-8:ShieldDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled

The shield module protects Drupal sites from prying eyes, often it is used to protect sites that are not yet live, but should never be enabled for live sites.

Parameters

Name Type Description Default
module string The module to check is enabled. shield

Simpletest module is not installed

Name: Drupal-8:SimpleTestDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled

The Simpletest module is for testing purposes only and shouldn't be enabled in production.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. simpletest

Statistics module is not installed

Name: Drupal-8:StatisticsDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled

This module comes with Drupal core and attempts to track page view information. However as often Drupal uses upstream page cache proxies this module is often inccurate and not worth the performance impact it causes.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. statistics

Untrusted Roles with administrative permissions

Name: Drupal-8:UntrustedRoles [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\UntrustedRoles

Make sure administrative permissions has not been assigned to untrusted roles.

Parameters

Name Type Description Default
untrusted_roles array The untrusted Roles. - anonymous
- authenticated

Unused modules in the codebase

Name: Drupal-8:UnusedModules [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\UnusedModules

Update module is not installed

Name: Drupal-8:UpdateDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled

The update module fetches the latest module information from Drupal.org and reports on the module statuses used on the site.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. update

Administrator login is locked down (uid:1)

Name: Drupal-8:User1LockDown [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\User1

It is important to lock down user #1 in Drupal, this user is special an ignores access control.

Parameters

Name Type Description Default
blacklist string The usernames of the the uid:1 user that are considered forbidden.
Expression maybe a regular expression to match patterns.
(admin root drupal
email string The email that the uid:1 user should have. If an empty string is provided
then this check is omitted.
no_reply@example.com
status boolean Ensures the uid:1 user status reflects the same as this argument. Defaults
to active (1).
1

User registration available to administrators only

Name: Drupal-8:UserRegistrationAdminOnly [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ConfigCheck

Anonymous sites should have user registration set to off to prevent spam registrations

Parameters

Name Type Description Default
collection string The collection the config belongs to. user.settings
key string The key the config belongs to. register
value mixed The value to compare against the retrived value. admin_only

Views UI module is not installed

Name: Drupal-8:ViewsUIDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled

This module can impose a small performance penalty when enabled, and can allow the essential views required by your website to be modified.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. views_ui

Webprofiler module is not installed

Name: Drupal-8:WebprofilerDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled

The web profiler is a developer module to help profile a PHP page load.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. webprofiler

APC is not installed

Name: Drupal-8:acquiaAPCDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled

Alternative PHP cache is not recommended on Acquia Cloud. It stores data on a per-server basis, which can lead to different data being served by different servers. It also uses memory that would otherwise be used by OPcache. We recommend using Memcachedinstead. It is recommended to disable and uninstall this module.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. apc

Apache Solr File is not installed

Name: Drupal-8:acquiaApacheSolrFileDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled

Customers are unable to modify the solrconfig.xml file on Acquia Cloud. It is recommended to disable and uninstall this module.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. apachesolr_file

AutoSlave is not installed

Name: Drupal-8:acquiaAutoSlaveDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled

The Acquia Cloud platform is configured to auto-detect the primary and subordinate servers and handle failover situations. This module hardcodes the settings and can cause your server to read or write to the incorrect database. It is recommended to disable and uninstall this module.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. autoslave

Boost is not installed

Name: Drupal-8:acquiaBoostDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled

This creates many disk writes, which can cause problems on shared servers. See Boost and Acquia Cloud for more details. It is recommended to disable and uninstall this module.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. boost

CAS is not installed

Name: Drupal-8:acquiaCASDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled

Check the Check with the CAS server to see if the user is already logged in setting. This requires session cookies to be set, preventing Varnish® from caching pages. We suggest Bakery or SimpleSAML as an alternative.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. cas

CloudFlare Purge is not installed

Name: Drupal-8:acquiaCFPurgeDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled

This module includes API limits that may prevent users from viewing updated content on your website. Instead, Acquia recommends the use of Acquia Purge. It is recommended to disable and uninstall this module.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. cfpurge

CiviCRM is not installed

Name: Drupal-8:acquiaCiviCRMDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled

CiviCRM is dependent on stored procedures and triggers that do not work on the Acquia Cloud platform. It is recommended to disable and uninstall this module.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. civicrm

Configuration Management is not installed

Name: Drupal-8:acquiaConfigMgmtDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled

This module requires a writeable directory that is also trackable at the same time by Git; this is not currently possible on Acquia Cloud. It is recommended to disable and uninstall this module.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. configuration

DB Maintenance is not installed

Name: Drupal-8:acquiaDBMaintenanceDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled

Using this module improperly can potentially cause slowdowns or outages. If you believe that your application has tables that need optimizing, open a ticket with Acquia Support.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. db_maintenance

Devinci is not installed

Name: Drupal-8:acquiaDevinciDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled

This module does not include settings for the Acquia Remote Administration environment.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. devinci

Dropzone JS is not installed

Name: Drupal-8:acquiaDropzoneJSDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled

When uploading files with the dropzonejs module (included with Lightning) to an application with multiple web servers served by a single load balancer, the web server that processes the form submission may not be the web server that received the temporary file in the AJAX request. Upload files through the /media/add interface instead.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. dropzonejs

Filefield Sources is not installed

Name: Drupal-8:acquiaFilefieldSourcesDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled

Using this module on Acquia Cloud causes issues with Acquia Remote Administration services. If you are using this module, it conflicts with the Stage File proxy module, and you will not be able to see images on your RA environment.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. filefield_sources

HTML Purifier is not installed

Name: Drupal-8:acquiaHTMLPurifierDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled

Create a symlink to your private files area.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. htmlpurifier

Lightweight Directory Access Protocol (LDAP) is not installed

Name: Drupal-8:acquiaLDAPDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled

LDAP alone without SSO can work on Acquia Cloud. SSO requires NTLM (NT LAN Manager) support, which is an Apache module that Acquia does not currently support.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. ldap

Name: Drupal-8:acquiaLinkCheckerDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled

The Link Checker module can sometime cause timeouts when cron is run.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. linkchecker

Node view count is not installed

Name: Drupal-8:acquiaNodeViewCountDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled

This statistics module can be configured to count each node visit, which can trigger multiple database writes. This behavior can cause serious performance issues with the database-use caution when configuring this on high traffic websites.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. nodeviewcount

Optimize DB is not installed

Name: Drupal-8:acquiaOptimizeDBDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled

Using this module improperly can potentially cause slowdowns or outages. If you feel your site has tables that need optimizing, contact Acquia Support.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. optimizedb

Redirect 403 to User Login is not installed

Name: Drupal-8:acquiaR4032LoginDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled

This may cause issues with anonymous session cookies. Disable the Access denied. You must log in to view this page. check box in the module settings.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. r4032login

Radioactivity is not installed

Name: Drupal-8:acquiaRadioactivityDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled

This module requires that memcache servers be hardcoded in a separate configuration file, which directly conflicts with Acquia’s high availability services. Acquia’s platform dynamically modifies available memcache servers, and hardcoded servers can cause application outages.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. radioactivity

Search 404 is not installed

Name: Drupal-8:acquiaSearch404Disabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled

This useful module triggers a search when a user lands on a 404 page. This is best used with Fast 404 to prevent missing files from also triggering a search.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. search404

Serial is not installed

Name: Drupal-8:acquiaSerialDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled

Serial is based on an auto_increment of 1. Acquia Cloud uses an auto_increment of five. It is recommended to disable and uninstall this module.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. serial

Shibboleth Authentication is not installed

Name: Drupal-8:acquiaShibAuthDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled

Shibboleth is not supported on Acquia Cloud. Other methods of achieving this functionality are SimpleSAMLphp or LDAP. It is recommended to disable and uninstall this module.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. shib_auth

TCPDF is not installed

Name: Drupal-8:acquiaTCPDFDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled

Create a symlink to your private files area.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. tcpdf

Varnish Module is not installed

Name: Drupal-8:acquiaVarnishModuleDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled

This Drupal module attempts to replicate the effort of the Varnish Cache that is already available to Acquia Cloud applications. It will not work with Acquia Cloud applications because it requires connections to the load balancers, which Acquia does not provide. The Varnish caching provided by Acquia works out of the box, as long as you use caching.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. varnish

WURFL is not installed

Name: Drupal-8:acquiaWURFLDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled

Create a symlink to your private files area.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. wurfl

Workbench Moderation is not installed

Name: Drupal-8:acquiaWorkbenchModerationDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled

This module does not work out of the box with ApacheSolr search integration. Learn more about problems and a solution.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. workbench_moderation

Block Cache Alter is not installed

Name: Drupal-8:blockcacheAlterDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled

This module causes issues with caching, and has not been updated in several years. It is not recommended for use. It is recommended to disable and uninstall this module.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. blockcache_alter

Facebook Connect is not installed

Name: Drupal-8:fbconnectDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled

Require session cookies to be set, preventing Varnish from caching pages. It is recommended to disable and uninstall this module.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. fbconnect

File Cache is not installed

Name: Drupal-8:fileCacheDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled

The File Cache module moves caching to Gluster, which can cause major load on the Gluster file system and can cause the site (or multiple sites in the case of shared hosting) to go down. It is recommended to disable and uninstall this module.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. filecache

Views Global Filter is not installed

Name: Drupal-8:globalFilterDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled

Sets session cookies to filter views, which prevents Varnish from caching pages. It is recommended to disable and uninstall this module.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. global_filter

H5P is not installed

Name: Drupal-8:h5pDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled

The H5P module sets session cookies for anonymous visitors utilizing pages that contain H5P elements. This results in all future requests for those anonymous users to bypass Varnish caching. It is recommended to disable and uninstall this module.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. h5p

Honeypot Time Limit

Name: Drupal-8:honeypotTimeLimit [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ConfigCheck

This module has a time-based session variable that can make pages uncacheable by Drupal or Varnish caches. This setting should be configured to be disabled.

Parameters

Name Type Description Default
collection string The collection the config belongs to. honeypot.settings
key string The key the config belongs to. time_limit
value mixed The value to compare against the retrived value. 0

IP Geolocation is not installed

Name: Drupal-8:ipGeolocDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled

Require session cookies to be set, preventing Varnish from caching pages. It is recommended to disable and uninstall this module.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. ip_geoloc

Memcache Storage is not installed

Name: Drupal-8:memcacheStorageDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled

Although not incompatible, it is discouraged to use this module’s due to its developer’s limited updates. Instead, encourage the use of the Memcache API and Integration module. It is recommended to disable and uninstall this module.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. memcache_storage

Page Cache module is not installed

Name: Drupal-8:pageCacheDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled

Drupal's default page caching module should be disabled when a 3rd party page cache is used instead.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. page_cache

reCAPTCHA is not installed

Name: Drupal-8:recaptchaDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled

The reCAPTCHA module requires session cookies to be set. This functionality prevents Varnish from caching pages. It is recommended to disable and uninstall this module.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. recaptcha

Role Memory Limit is not installed

Name: Drupal-8:roleMemoryLimitDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled

This module overrides memory limits set in settings.php. It is recommended to disable and uninstall this module.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. role_memory_limit

Session API is not installed

Name: Drupal-8:sessionAPIDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled

Requires session cookies to be set, preventing Varnish from caching pages. Session API sets cookies on the user. Because of this, cron can run intense queries to join the session and session_api tables. This can cause major slowdowns. It is recommended to disable and uninstall this module.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. session_api

Session Cache API is not installed

Name: Drupal-8:sessionCacheDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled

This module is generally incompatible with Varnish caching. It may also cause file system performance issues. It is recommended to disable and uninstall this module.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. session_cache

Smart IP is not installed

Name: Drupal-8:smartIPDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled

This module can be configured to set session cookies for anonymous users, making it incompatible with Varnish. It is recommended to disable and uninstall this module.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. smart_ip

Name: Drupal-8:supercookieDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled

Stores sessions outside of the session table, and sets no cache headers. This module is also incompatible with Varnish. It is recommended to disable and uninstall this module.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. supercookie

TB Mega Menu is not installed

Name: Drupal-8:tbMegaMenuDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled

This module can cause performance problems for your website and is not covered by Drupal’s security policy. If it must be used, patch the module to reduce calls made to your website’s database. It is recommended to disable and uninstall this module.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. tb_megamenu

Text Size is not installed

Name: Drupal-8:textSizeDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled

This module requires session cookies to be set, preventing Varnish from caching pages. It is recommended to disable and uninstall this module.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. textsize

Views Filter Harmonizer is not installed

Name: Drupal-8:viewsFilterHarmonizerDisabled [View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled

This module sets a SESSION cookie, preventing Varnish caching. It is recommended to disable and uninstall this module.

Parameters

Name Type Description Default
module string The name of the module to ensure is not installed. filter_harmonizer

Anonymous sessions

Name: Drupal:AnonSession [View Source]
Package: drutiny/content
Class: Drutiny\Audit\Drupal\SqlResultAudit

If you are generating sessions for anonymous users, you are causing a major performance impact to your site. Having anonymous sessions will break traditional page caching in Varnish and CDNs.

Parameters

Name Type Description Default
expression string An expression language expression to evaluate a successful auditable outcome. 'count == 0'
query string The SQL query to run. Can use other parameters for variable replacement. "SELECT session, FROM_UNIXTIME(timestamp) as date FROM sessions\nWHERE uid = 0\n AND session NOT LIKE 'openid%'\n AND session NOT LIKE '%Access denied%'\nORDER BY timestamp DESC\nLIMIT 1000\n"

Lint PHP files in Theme

Name: Drupal:LintTheme [View Source]
Package: drutiny/content
Class: Drutiny\Audit\Drupal\PhpLint

Ensure all PHP files in the theme pass basic PHP syntax parsing.

Parameters

Name Type Description Default
path string The path where to lint PHP files. '%root/%themes'

User Enumeration

Name: Drupal:Security:UserEmueration [View Source]
Package: drutiny/content
Class: Drutiny\Audit\Drupal\ModuleEnabled

User enumeration is when a malicious actor can use brute-force to either guess or confirm valid users in a system. User enumeration is often a web application vulnerability, though it can also be found in any system that requires user authentication. Two of the most common areas where user enumeration occurs are in a site's login page and its ‘Forgot Password' functionality.

User enumeration is a default vulnerability in Drupal but can be mitigated through the use of the Username Enumeration Prevention module.

Parameters

Name Type Description Default
module string The module to check is enabled. username_enumeration_prevention

Syslog

Name: Drupal:SyslogEnabled [View Source]
Package: drutiny/content
Class: \Drutiny\Audit\Drupal\ModuleEnabled

Syslog module writes Drupal watchdog logs to the syslog.

Parameters

Name Type Description Default
module string The name of the module to ensure is enabled. syslog

Drupal Theme Security & Performance

Name: Drupal:ThemeSecurity [View Source]
Package: drutiny/content
Class: Drutiny\Audit\Filesystem\CodeScan

Some basic checks to ensure that the theme is not doing any seriously bad things. Note this is not supposed to be perfect, but used as an aid in code review.

Parameters

Name Type Description Default
directory string Absolute filepath to directory to scan '%root/%themes'
filetypes array file extensions to include in the scan - php
- inc
- theme
patterns array patterns to run over each matching file. - POST
- exec(
- db_query
- db_select
- db_merge
- db_update
- db_write_record
- ->query
- drupal_http_request
- curl_init
- passthru
- proc_open
- system(
- sleep(
- mysql

- mysqli
- sqlite
- db_query
- db_fetch
- db_result
- pager_query
- db_set_active
- db_select
- db_insert
- db_update
- db_delete
- fetchAll
- fetchField
- fetchObject
- fetchAssoc
- countQuery

Large Drupal Files

Name: Drupal:largeFiles [View Source]
Package: drutiny/content
Class: \Drutiny\Audit\Drupal\LargeDrupalFiles

Large static assets should be optimized for online display or ideally be housed in other services, e.g. Amazon S3 (for files) or Youtube (for videos). Storing large files can consume storage volumes, increase page load time and contribute to a higher than desired cache eviction rate. Varnish, on Acquia Cloud, does not cache files larger than 10 MB.

This policy identifies files managed by Drupal that are larger than .

Parameters

Name Type Description Default
max_size integer Report files larger than this value measured in bytes. 10000000

Module updates

Name: Drupal:moduleUpdates [View Source]
Package: drutiny/content
Class: \Drutiny\Audit\Drupal\ModuleUpdateStatus

Throughout the lifetime of your site, the Drupal project and its community contributed modules will release new versions that contain bug fixes, new features and security updates. It important to keep your site up to date and patched from known security vulnerabilities.

Note that upgrading modules, especially between major versions can introduce regressions into your site. While its important to maintain a continual update schedule for your site, regression testing changes is of equal importance.

Database updates

Name: Drupal:updates [View Source]
Package: drutiny/content
Class: \Drutiny\Audit\Drupal\UpdateDBStatus

Updates to Drupal core or contrib modules sometimes include important database changes which should be applied after the code updates have been deployed.

HTTP Authorization Disabled

Name: HTTP:Authorization [View Source]
Package: drutiny/content
Class: \Drutiny\Http\Audit\HttpHeaderNotExists

The HTTP Authorization request header contains the credentials to authenticate a user agent with a server, usually after the server has responded with a 401 Unauthorized status and the WWW-Authenticate header.

Authorization headers can bypass page caching strategies which can detrack from performance.

Parameters

Name Type Description Default
header string The HTTP header to check the value of. Authorization

HTTP Cache-Control

Name: HTTP:Cache-Control [View Source]
Package: drutiny/content
Class: \Drutiny\Http\Audit\HttpHeaderRegex

Cache-Control header informs reverse proxies and browsers how to cache your web page for performance reasons. A cacheable page should also contain the max-age directive. E.g. max-age=600; public.

Parameters

Name Type Description Default
header string The HTTP header to check the value of. Cache-Control
regex string A regular expressions to validate the header value against. max-age=

HTTP Content-Security-Policy

Name: HTTP:Content-Security-Policy [View Source]
Package: drutiny/content
Class: \Drutiny\Http\Audit\HttpHeaderExists

Content Security Policy is an effective measure to protect your site from XSS attacks. By whitelisting sources of approved content, you can prevent the browser from loading malicious assets.

Parameters

Name Type Description Default
header string The HTTP header to check the value of. Content-Security-Policy

Force HTTPS

Name: HTTP:ForceHTTPS [View Source]
Package: drutiny/content
Class: \Drutiny\Http\Audit\HttpsRedirect

Ensure attempts to http redirect the user to an HTTPS URL. This ensures no content is ever served over an insecure connection which is considered a best practice.

HTTP HSTS

Name: HTTP:HSTS [View Source]
Package: drutiny/content
Class: \Drutiny\Http\Audit\HttpHeaderExists

HTTP Strict Transport Security is an excellent feature to support on your site and strengthens your implementation of TLS by getting the User Agent to enforce the use of HTTPS.

Parameters

Name Type Description Default
header string The HTTP header to check the value of. Strict-Transport-Security

HTTP Referrer Policy

Name: HTTP:ReferrerPolicy [View Source]
Package: drutiny/content
Class: \Drutiny\Http\Audit\HttpHeaderExists

Referrer Policy is a header that allows a site to control how much information the browser includes with navigations away from a document and should be set by all sites.

Parameters

Name Type Description Default
header string The HTTP header to check the value of. Referrer-Policy

HTTPS Valid SSL Certificate

Name: HTTP:ValidSSL [View Source]
Package: drutiny/content
Class: \Drutiny\Http\Audit\HttpStatusCode

Ensure https requests over a valid SSL connection. This validates the SSL certficiate and chain authority to ensure browsers will also be able to trust this connection.

Parameters

Name Type Description Default
force_ssl true

HTTP X-Content-Type-Options

Name: HTTP:X-Content-Type-Options [View Source]
Package: drutiny/content
Class: \Drutiny\Http\Audit\HttpHeaderMatch

X-Content-Type-Options stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. The only valid value for this header is X-Content-Type-Options: nosniff.

Parameters

Name Type Description Default
header string The HTTP header to check the value of. X-Content-Type-Options
header_value string The value to check against. nosniff

X-Drupal-Cache-Tags Header Disabled

Name: HTTP:X-Drupal-Cache-Tags [View Source]
Package: drutiny/content
Class: \Drutiny\Http\Audit\HttpHeaderNotExists

X-Drupal-Cache-Tags is a debugging HTTP header Drupal sends to inform developers what cache tags are being utilised in an HTTP response. The header can be high verbosity on responses that use a lot of entities from both content and configuration.

This header should only be used in local development or in environment specific debugging.

Parameters

Name Type Description Default
header string The HTTP header to check the value of. X-Drupal-Cache-Tags

HTTP X-Frame-Options

Name: HTTP:X-Frame-Options [View Source]
Package: drutiny/content
Class: \Drutiny\Http\Audit\HttpHeaderExists

X-Frame-Options tells the browser whether you want to allow your site to be framed or not. By preventing a browser from framing your site you can defend against attacks like clickjacking.

Parameters

Name Type Description Default
header string The HTTP header to check the value of. X-Frame-Options

HTTP X-XSS-Protection

Name: HTTP:X-XSS-Protection [View Source]
Package: drutiny/content
Class: \Drutiny\Http\Audit\HttpHeaderMatch

X-XSS-Protection sets the configuration for the cross-site scripting filters built into most browsers. The best configuration is X-XSS-Protection: 1; mode=block.

Parameters

Name Type Description Default
header string The HTTP header to check the value of. X-XSS-Protection
header_value string The value to check against. '1; mode=block'

Chrome distrusted Symantec PKI

Name: SSL:DistrustedSymantecPKI [View Source]
Package: drutiny/content
Class: \Drutiny\Http\Audit\SslAssertion

At the end of July 2018, the Chrome team and PKI community plan to reduce, and remove, trust in Symantec’s infrastructure in order to uphold users’ security and privacy when browsing the web. SSL/TLS certificates from the Legacy Symantec PKI issued after December 1, 2017 will no longer be trusted.

Parameters

Name Type Description Default
expression string The expression language to evaludate. See https://symfony.com/doc/current/components/expression_language/syntax.html "not (cert[\"issuer\"][\"O\"] in [\"DigiCert Inc\", \"thawte, Inc.\", \"GeoTrust Inc.\"]\nand cert[\"validFrom_time_t\"] < 1512039600)\n"

Always error test policy

Name: Test:Error [View Source]
Package: drutiny/content
Class: \Drutiny\Audit\AlwaysError

This policy should always error. Twee godard poutine knausgaard, street art keytar readymade unicorn wayfarers vape mumblecore blue bottle. Portland pitchfork air plant kale chips, craft beer meditation tumeric seitan umami vexillologist cred coloring book taxidermy actually.

Banjo narwhal la croix portland green juice lumbersexual biodiesel kombucha vegan umami aesthetic trust fund ramps. Art party +1 celiac everyday carry succulents seitan franzen distillery venmo keytar cray mustache gastropub. 8-bit seitan banh mi, vice chillwave viral synth vinyl +1. Mixtape mustache pitchfork, meh tacos kitsch offal pop-up intelligentsia VHS air plant pork belly. Thundercats microdosing taxidermy try-hard +1 ennui photo booth 8-bit.

Always fail test policy

Name: Test:Fail [View Source]
Package: drutiny/content
Class: \Drutiny\Audit\AlwaysFail

This policy should always fail. Twee godard poutine knausgaard, street art keytar readymade unicorn wayfarers vape mumblecore blue bottle. Portland pitchfork air plant kale chips, craft beer meditation tumeric seitan umami vexillologist cred coloring book taxidermy actually.

Banjo narwhal la croix portland green juice lumbersexual biodiesel kombucha vegan umami aesthetic trust fund ramps. Art party +1 celiac everyday carry succulents seitan franzen distillery venmo keytar cray mustache gastropub. 8-bit seitan banh mi, vice chillwave viral synth vinyl +1. Mixtape mustache pitchfork, meh tacos kitsch offal pop-up intelligentsia VHS air plant pork belly. Thundercats microdosing taxidermy try-hard +1 ennui photo booth 8-bit.

Irrelevant test policy

Name: Test:Irrelevant [View Source]
Package: drutiny/content
Class: \Drutiny\Audit\AlwaysFail

This policy should always be not applicable. Twee godard poutine knausgaard, keytar readymade unicorn wayfarers vape mumblecore blue bottle. Portland pitchfork air plant kale chips, craft beer meditation tumeric seitan umami vexillologist cred coloring book taxidermy actually.

Banjo narwhal la croix portland green juice lumbersexual biodiesel kombucha vegan umami aesthetic trust fund ramps. Art party +1 celiac everyday carry succulents seitan franzen distillery venmo keytar cray mustache gastropub. 8-bit seitan banh mi, vice chillwave viral synth vinyl +1. Mixtape mustache pitchfork, meh tacos kitsch offal pop-up intelligentsia VHS air plant pork belly. Thundercats microdosing taxidermy try-hard +1 ennui photo booth 8-bit.

Not applicable test policy

Name: Test:NA [View Source]
Package: drutiny/content
Class: \Drutiny\Audit\AlwaysNA

This policy should always be not applicable. Twee godard poutine knausgaard, keytar readymade unicorn wayfarers vape mumblecore blue bottle. Portland pitchfork air plant kale chips, craft beer meditation tumeric seitan umami vexillologist cred coloring book taxidermy actually.

Banjo narwhal la croix portland green juice lumbersexual biodiesel kombucha vegan umami aesthetic trust fund ramps. Art party +1 celiac everyday carry succulents seitan franzen distillery venmo keytar cray mustache gastropub. 8-bit seitan banh mi, vice chillwave viral synth vinyl +1. Mixtape mustache pitchfork, meh tacos kitsch offal pop-up intelligentsia VHS air plant pork belly. Thundercats microdosing taxidermy try-hard +1 ennui photo booth 8-bit.

Always notice test policy

Name: Test:Notice [View Source]
Package: drutiny/content
Class: \Drutiny\Audit\AlwaysNotice

This policy should always be a notice. Twee godard poutine knausgaard, street keytar readymade unicorn wayfarers vape mumblecore blue bottle. Portland pitchfork air plant kale chips, craft beer meditation tumeric seitan umami vexillologist cred coloring book taxidermy actually.

Banjo narwhal la croix portland green juice lumbersexual biodiesel kombucha vegan umami aesthetic trust fund ramps. Art party +1 celiac everyday carry succulents seitan franzen distillery venmo keytar cray mustache gastropub. 8-bit seitan banh mi, vice chillwave viral synth vinyl +1. Mixtape mustache pitchfork, meh tacos kitsch offal pop-up intelligentsia VHS air plant pork belly. Thundercats microdosing taxidermy try-hard +1 ennui photo booth 8-bit.

Always pass test policy

Name: Test:Pass [View Source]
Package: drutiny/content
Class: \Drutiny\Audit\AlwaysPass

This policy should always pass. Twee godard poutine knausgaard, street art keytar readymade unicorn wayfarers vape mumblecore blue bottle. Portland pitchfork air plant kale chips, craft beer meditation tumeric seitan umami vexillologist cred coloring book taxidermy actually.

Banjo narwhal la croix portland green juice lumbersexual biodiesel kombucha vegan umami aesthetic trust fund ramps. Art party +1 celiac everyday carry succulents seitan franzen distillery venmo keytar cray mustache gastropub. 8-bit seitan banh mi, vice chillwave viral synth vinyl +1. Mixtape mustache pitchfork, meh tacos kitsch offal pop-up intelligentsia VHS air plant pork belly. Thundercats microdosing taxidermy try-hard +1 ennui photo booth 8-bit.

Always pass dependant test policy

Name: Test:PassDependant [View Source]
Package: drutiny/content
Class: \Drutiny\Audit\AlwaysPass

This policy should always pass. Twee godard poutine knausgaard, street art keytar readymade unicorn wayfarers vape mumblecore blue bottle. Portland pitchfork air plant kale chips, craft beer meditation tumeric seitan umami vexillologist cred coloring book taxidermy actually.

Banjo narwhal la croix portland green juice lumbersexual biodiesel kombucha vegan umami aesthetic trust fund ramps. Art party +1 celiac everyday carry succulents seitan franzen distillery venmo keytar cray mustache gastropub. 8-bit seitan banh mi, vice chillwave viral synth vinyl +1. Mixtape mustache pitchfork, meh tacos kitsch offal pop-up intelligentsia VHS air plant pork belly. Thundercats microdosing taxidermy try-hard +1 ennui photo booth 8-bit.

Always warn test policy

Name: Test:Warning [View Source]
Package: drutiny/content
Class: \Drutiny\Audit\AlwaysWarn

This policy should always issue a warning. Twee godard poutine knausgaard, keytar readymade unicorn wayfarers vape mumblecore blue bottle. Portland pitchfork air plant kale chips, craft beer meditation tumeric seitan umami vexillologist cred coloring book taxidermy actually.

Banjo narwhal la croix portland green juice lumbersexual biodiesel kombucha vegan umami aesthetic trust fund ramps. Art party +1 celiac everyday carry succulents seitan franzen distillery venmo keytar cray mustache gastropub. 8-bit seitan banh mi, vice chillwave viral synth vinyl +1. Mixtape mustache pitchfork, meh tacos kitsch offal pop-up intelligentsia VHS air plant pork belly. Thundercats microdosing taxidermy try-hard +1 ennui photo booth 8-bit.

Cloudflare always use HTTPS

Name: cloudflare:always_use_https [View Source]
Package: drutiny/content
Class: \Drutiny\Cloudflare\Audit\PageRuleMatch

To ensure all traffic to is secured over an SSL connection, Cloudflare comes with a feature to force any insecure traffic to redirect to a secure connection before a connection to the origin location is attempted. This ensures all traffic to is secured between the browser and Cloudflare.

Parameters

Name Type Description Default
rule string The page rule pattern to look up. 'http://:host/*'
settings array A keyed list of actions the page rule should action. always_use_https: true

Cloudflare Caching

Name: cloudflare:caching [View Source]
Package: drutiny/content
Class: Drutiny\Cloudflare\Audit\AnalyticsAnalysis

Cloudflare CDN caches your website at different PoPs in closer geographic proximity to your visitors than your website is. These graphs show the amount of traffic handled by Cloudflare's CDN caching globally, offloading traffic from your origin web property.

Parameters

Name Type Description Default
expression string An expression to evaluate to determine the outcome of the audit true

Cloudflare Content

Name: cloudflare:content [View Source]
Package: drutiny/content
Class: Drutiny\Cloudflare\Audit\AnalyticsAnalysis

The graphs below provide insight into the type of content requested for through Cloudflare over the HTTP protocol (both encrypted or unencrypted).

Parameters

Name Type Description Default
expression string An expression to evaluate to determine the outcome of the audit true

#2819197 - Cloudflare workaround for Drupal 8 urlGenerator

Name: cloudflare:drupal-urlGenerator-workaround [View Source]
Package: drutiny/content
Class: \Drutiny\Cloudflare\Audit\PageRuleAnalysis

By accessing a site an an unexpected base path (e.g. with index.php) a site may cache links in a way that could be considered a minor site defacement and possibly lead to a duplicate content SEO penalty too. It can also impact caching strategy.

Parameters

Name Type Description Default
rule string The page rule pattern to look up. 'https://:host/index.php/*'
expression string An ExpressionLanguage expression to evaluate the outcome of a page rule. 'array_key_exists(''forwarding_url'', settings) and (settings[''forwarding_url''][''status_code''] == 301)'

Cloudflare Encryption

Name: cloudflare:encryption [View Source]
Package: drutiny/content
Class: Drutiny\Cloudflare\Audit\AnalyticsAnalysis

Cloudflare offers the ability to offload SSL traffic for your entire zone. These graphs show the amount of traffic encrypted between Cloudflare are visitors.

Parameters

Name Type Description Default
expression string An expression to evaluate to determine the outcome of the audit true

Cloudflare HTTP Status Codes

Name: cloudflare:http_status [View Source]
Package: drutiny/content
Class: Drutiny\Cloudflare\Audit\AnalyticsAnalysis

The graphs below provide insight into the traffic levels by HTTP status codes.

Parameters

Name Type Description Default
expression string An expression to evaluate to determine the outcome of the audit true

Cloudflare redirect Apex to primary domain

Name: cloudflare:redirect_apex [View Source]
Package: drutiny/content
Class: \Drutiny\Cloudflare\Audit\PageRuleMatch

If is the primary site under the domain then you may want all traffic to https:/// to be redirected to https:///. This ensures all traffic to both and are routed through a common domain and makes management of Cloudflare Page Rules easier to administer. This reduces the likelihood of strange behaviour due to Page Rules.

Parameters

Name Type Description Default
rule string The page rule pattern to look up. 'https://:zone/*'
settings array A keyed list of actions the page rule should action. forwarding_url:
url: 'https://:host/$1'
status_code: 301

Cloudflare Threat Management

Name: cloudflare:threats [View Source]
Package: drutiny/content
Class: Drutiny\Cloudflare\Audit\AnalyticsAnalysis

Threats are requests Cloudflare identifies as malicious and blocks according to the configuration of the WAF. For more information on the types of threats see the knowledge base article on threat types.

Parameters

Name Type Description Default
expression string An expression to evaluate to determine the outcome of the audit true

Drupal Theme Directory Size

Name: fs:DrupalThemeDirectory [View Source]
Package: drutiny/content
Class: Drutiny\Audit\Filesystem\FsSize

Large theme directories can be indicative of best practice violations: * Source files in site artifact. e.g. node_modules * Media assets unsuitable for web delivery

Parameters

Name Type Description Default
max_size integer The maximum size in MegaBytes a directory should be. 50
path string The path of the directory to check for size. '%root/%themes'

Sensitive public files

Name: fs:SensitivePublicFiles [View Source]
Package: drutiny/content
Class: Drutiny\Audit\Filesystem\SensitivePublicFiles

Certain file extensions should never be in public files for security reasons.

Parameters

Name Type Description Default
extensions string The sensitive file extensions to look for. 'php,sh,py,sql,bz2,gz,tar,tgz,zip'

Large public files

Name: fs:largeFiles [View Source]
Package: drutiny/content
Class: Drutiny\Audit\Filesystem\LargeFiles

Large static assets should ideally be housed in other services, e.g. Amazon S3 (for files) or Youtube (for videos).

Parameters

Name Type Description Default
max_size integer Report files larger than this value measured in megabytes. 50