Policy Library
Acquia Cloud Site Factory
Name: Acquia:ACSF
[View Source]
Package: drutiny/content
Class: \Drutiny\Audit\Drupal\ModuleEnabled
Ensure the Acquia Cloud Site Factory module is enabled.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The module to check is enabled. | acsf |
Acquia Agent
Name: Acquia:AgentEnabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Audit\Drupal\ModuleEnabled
Ensure the Acquia Agent module is enabled.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The module to check is enabled. | acquia_agent |
Acquia Application Information
Name: Acquia:AppInfo
[View Source]
Package: drutiny/content
Class: \Drutiny\Acquia\Audit\AppInfo
Application Information
ACSF Deployment Workspace
Name: Acquia:CheckSiteFactoryWorkspace
[View Source]
Package: drutiny/content
Class: \Drutiny\Acquia\Audit\AcsfDeployWorkspaceCleaned
A bug in the ACSF deployment process left codebases in the tmp
directory
which could lead to filesystem bloat and excessive inodes.
Cloud Edge Caching
Name: Acquia:CloudEdgeCaching
[View Source]
Package: drutiny/content
Class: \Drutiny\Http\Audit\HttpHeaderMatch
When Cloudflare is successfully caching a page it will send out CF-Cache-Status
headers with caching information for the page requested. The value should be HIT
Parameters
Name | Type | Description | Default |
---|---|---|---|
header | string | The HTTP header to check the value of. | cf-cache-status |
header_value | string | The value to check against. | HIT |
Acquia Cloud Edge Purging Enabled
Name: Acquia:CloudEdgeNoPurge
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled
Acquia Cloud Edge CDN best practices recommend running a cache expiration of one minute or less at the edge. This is to ensure the edge keeps an accurate copy of page cache.
The Cloudflare purger module is only required when edge invalidation is required which is not the case for Acquia Cloud Edge best practice.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The module to check is enabled. | cloudflarepurger |
Acquia Connector
Name: Acquia:Connected
[View Source]
Package: drutiny/content
Class: \Drutiny\Audit\Drupal\ModuleEnabled
Ensure the Acquia Connector module is enabled.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The module to check is enabled. | acquia_connector |
Custom Domains Registered
Name: Acquia:CustomDomains
[View Source]
Package: drutiny/content
Class: \Drutiny\Acquia\Audit\CustomDomains
Ensure there is one or more custom domains registered with Acquia Cloud.
No Database Search Indexes for Drupal 7
Name: Acquia:Drupal7:NoDbSearch
[View Source]
Package: drutiny/content
Class: \Drutiny\Acquia\Audit\SearchDB
By default Drupal can create full text search indexes in the database which can lead to performance problems on large sites.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The module to check is enabled. | search_api_db |
Less than 2,500 files per directory
Name: Acquia:FilesPerDirectory
[View Source]
Package: drutiny/content
Class: Drutiny\Acquia\Audit\FilesPerDirectory
On Acquia Cloud, we have found that over 2,500 files in a single directory can seriously impact a server's performance and potentially its stability.
Parameters
Name | Type | Description | Default |
---|---|---|---|
limit | integer | The limit of files per directory. | 2500 |
Memcache module enabled
Name: Acquia:MemcacheEnabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Audit\Drupal\ModuleEnabled
You can use the Memcache module to move some common cache queries out of the database and into memory. Information held in memory will always be retrieved more quickly than information retrieved from a database query.
Memcached is available for all Acquia Cloud websites. See Using Memcached for information about how to use Memcached with an Acquia Cloud-hosted Drupal website.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The module to check is enabled. | memcache |
Acquia Production Mode
Name: Acquia:ProductionMode
[View Source]
Package: drutiny/content
Class: \Drutiny\Acquia\Audit\EnvironmentAnalysis
Ensure Acquia production environment has Production Mode enabled.
Parameters
Name | Type | Description | Default |
---|---|---|---|
expression | 'environment["flags"]["production_mode"] === true' | ||
not_applicable | 'environment["flags"]["production"] === false |
Acquia Purge Enabled
Name: Acquia:PurgeEnabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Audit\Drupal\ModuleEnabled
Acquia Purge modules allows updates in content to be reflected in page cache in realtime on the Acquia Platform. It does this by administering bans to the platform page caching service (Varnish).
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The module to check is enabled. | acquia_purge |
Acquia Purge Plugin Exists
Name: Acquia:PurgePlugin
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\PurgePluginExists
Enabled purging of cached content on Acquia Cloud by adding it as a purge plugin.
Parameters
Name | Type | Description | Default |
---|---|---|---|
plugin | string | The plugins to check exists | acquia_purge |
Acquia SPI
Name: Acquia:SPIEnabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Audit\Drupal\ModuleEnabled
Ensure the Acquia SPI module is enabled.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The module to check is enabled. | acquia_spi |
Secured Domains
Name: Acquia:SecureDomains
[View Source]
Package: drutiny/content
Class: \Drutiny\Acquia\Audit\SecureDomains
SSL enables your web application to use the HTTPS secure web protocol to safely communicate with your users online. To use SSL, your environment must have an SSL certificate, which you must purchase from a Certificate Authority (CA) or SSL certificate vendor and upload to Acquia Cloud.
ACSF Drupal Theme Directory Size
Name: Acquia:SiteFactory:DrupalThemeDirectory
[View Source]
Package: drutiny/content
Class: Drutiny\Audit\Filesystem\FsSize
Large theme directories can be indicative of best practice violations: * Source files in site artifact. e.g. node_modules * Media assets unsuitable for web delivery
Parameters
Name | Type | Description | Default |
---|---|---|---|
max_size | integer | The maximum size in MegaBytes a directory should be. | 50 |
path | string | The path of the directory to check for size. | '%root/%themes/site/' |
Acquia Cloud Site Factory Pingdom
Name: Acquia:SiteFactory:Pingdom
[View Source]
Package: drutiny/content
Class: \Drutiny\Audit\Drupal\ModuleEnabled
Ensure the Acquia Cloud Site Factory Pingdom module is enabled.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The module to check is enabled. | acsf_pingdom |
Acquia Search Auto Switch (D7)
Name: Acquia:SiteFactory:SearchAutoSwitch
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\VariableCompare
Using Site Factory and Acquia Search, the auto core selector needs to be disabled in order to work.
Parameters
Name | Type | Description | Default |
---|---|---|---|
key | string | The name of the variable to compare. | acquia_search_disable_auto_switch |
value | mixed | The value to compare against | 1 |
Acquia Cloud Site Factory Theme
Name: Acquia:SiteFactory:ThemeEnabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Audit\Drupal\ModuleEnabled
Ensure the Acquia Cloud Site Factory Theme module is enabled.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The module to check is enabled. | acsf_theme |
Acquia Cloud Site Factory Variables
Name: Acquia:SiteFactory:Variables
[View Source]
Package: drutiny/content
Class: \Drutiny\Audit\Drupal\ModuleEnabled
Ensure the Acquia Cloud Site Factory Variables module is enabled.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The module to check is enabled. | acsf_variables |
Drupal Theme Path References
Name: Acquia:SiteFactoryDefaultThemePath
[View Source]
Package: drutiny/content
Class: Drutiny\Audit\Filesystem\CodeScan
Ensure there are no hard coded references to the default theme path in the deployed theme as this can and will cause a lot of HTTP 404s.
Parameters
Name | Type | Description | Default |
---|---|---|---|
directory | string | Absolute filepath to directory to scan | '%root/%themes/site/' |
whitelist | array | Whitelist patterns which the 'patterns' parameter may yield false positives from | - .md - .txt - .svg |
patterns | array | patterns to run over each matching file. | - sites\/all\/themes\/ |
Acquia Cloud Site Factory Duplication
Name: Acquia:SiteFactoryDuplication
[View Source]
Package: drutiny/content
Class: \Drutiny\Audit\Drupal\ModuleEnabled
Ensure the Acquia Cloud Site Factory Duplication module is enabled.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The module to check is enabled. | acsf_duplication |
Acquia Cloud Site Factory OpenID
Name: Acquia:SiteFactoryOpenID
[View Source]
Package: drutiny/content
Class: \Drutiny\Audit\Drupal\ModuleEnabled
Ensure the Acquia Cloud Site Factory OpenID module is enabled.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The module to check is enabled. | acsf_openid |
Serving files from production on development environments
Name: Acquia:StageFileProxy
[View Source]
Package: drutiny/content
Class: \Drutiny\Audit\Drupal\ModuleEnabled
Development and staging servers may have less disk space allocated to them than a production server. When you are copying files from your production server back to staging or development, you can quickly fill up your disk space. It's possible to use the files on the production server for your staging site without copying them by using Stage File Proxy module.
Using the Stage File Proxy module enables a development server to maintain a clean files directory and use files from an alternate source by directly referencing that alternate source. An additional option within the module allows the file system on the development server to be seeded with files from the production server.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The module to check is enabled. | stage_file_proxy |
.htaccess redirects
Name: Apache:LimitHtacessRedirects
[View Source]
Package: drutiny/content
Class: \Drutiny\Audit\Apache\HtaccessRedirects
When there are a large number of redirects in the .htaccess
file
they are all required to be loaded at run time during every request as Apache
needs to analyze the contents so that it can make appropriate decisions about
how to process the application and incoming requests. Redirect rules should be
refactored to take advantage of regular expressions if possible. Otherwise the
redirect module should be added to the site and all of the redirects in the
.htaccess
file should be moved into the Drupal site. Although
these redirects will then require a Drupal bootstrap in order to fulfill the
request, Varnish will be able to cache the redirect once it has been made once
as long as there is a maximum age set on the site.
Parameters
Name | Type | Description | Default |
---|---|---|---|
max_redirects | integer | The maximum number of redirects to allow in htaccess. | 10 |
Database fulltext indexing
Name: Database:Fulltext
[View Source]
Package: drutiny/content
Class: Drutiny\Audit\Drupal\SqlResultAudit
Tables with FULLTEXT indexes cannot currently be converted to InnoDB (a solution for this is in development for MySQL 5.6). Queries involving these tables with FULLTEXT indexing could lead to performance problems.
Parameters
Name | Type | Description | Default |
---|---|---|---|
query | string | The SQL query to run. Can use other parameters for variable replacement. | "SELECT DISTINCT table_name FROM information_schema.statistics\nWHERE index_type = 'FULLTEXT'\nAND table_schema = ':db-name'\n" |
expression | string | An expression language expression to evaluate a successful auditable outcome. | 'count == 0' |
Database size
Name: Database:Size
[View Source]
Package: drutiny/content
Class: \Drutiny\Audit\Database\DatabaseSize
Large databases can negatively impact your production site, and slow down things like database dumps. The size reported is the data and index size combined.
Parameters
Name | Type | Description | Default |
---|---|---|---|
max_size | integer | The maximum size in megabytes the database should be. | 1000 |
warning_size | integer | The size in megabytes this check will issues a warning at. | 800 |
BlackList Permissions
Name: Drupal-7:BlackListPermissions
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\BlacklistPermissions
Checks to ensure roles do not contain blacklisted permissions.
Parameters
Name | Type | Description | Default |
---|---|---|---|
permissions | array | An array of permissions to ensure are not available to non-administrator | |
roles | |||
- 'administer site configuration' |
CSS Aggregation
Name: Drupal-7:CSSAggregation
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\VariableCompare
With CSS optimization disabled, your website visitors are experiencing slower page performance and the server load is increased.
Parameters
Name | Type | Description | Default |
---|---|---|---|
key | string | The name of the variable to check. | preprocess_css |
value | boolean | The value of the variable | 1 |
Application Page Cache
Name: Drupal-7:CacheLifetime
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\VariableCompare
The minimum cache lifetime prevents Drupal from clearing page and block caches after changes are made to nodes or blocks, for a set period of time. This can cause unexpected behavior when editing content or when an external cache such as a CDN or Varnish is employed.
Parameters
Name | Type | Description | Default |
---|---|---|---|
key | string | The name of the variable to check. | cache_lifetime |
value | boolean | The value of the variable | 0 |
Cron running regularly
Name: Drupal-7:CronLast
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\CronLast
Making sure the cron jobs are running properly is key to a healthy Drupal site.
Database logging disabled
Name: Drupal-7:DblogModuleDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled
The database logging module logs Drupal's watchdog logs into the Drupal database. This works fine in development but can cause performance issues for production websites. Its recommended to disabled this module in production.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is disabled. | dblog |
Devel module is not installed
Name: Drupal-7:DevelDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled
A suite of modules containing fun for module developers and themers. Not recommended for production use.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | devel |
Error Level
Name: Drupal-7:ErrorLevel
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\VariableCompare
When PHP encounters an error, it can generate an error log and display a report on the screen. While these error messages can be helpful in debugging your site, they can be a security risk on a live site as they may reveal information about your server that can be used to compromise it. site becoming unavailable or unresponsive.
Parameters
Name | Type | Description | Default |
---|---|---|---|
key | string | The name of the variable to check. | error_level |
value | boolean | The value of the variable | 0 |
Image Derivatives
Name: Drupal-7:ImageDerivatives
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\VariableCompare
Drupal core's Image module allows for the on-demand generation of image derivatives. This capability can be abused by requesting a large number of new derivatives which can fill up the server disk space, and which can cause a very high CPU load. Either of these effects may lead to the site becoming unavailable or unresponsive.
Parameters
Name | Type | Description | Default |
---|---|---|---|
key | string | The name of the variable to check. | image_allow_insecure_derivatives |
value | boolean | The value of the variable | 0 |
default | boolean | The default value of the variable | 0 |
Installation Complete
Name: Drupal-7:InstallTaskCompleted
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\VariableCompare
If you fail to set this variable correctly, it can leave your install.php
script open to the general public.
Parameters
Name | Type | Description | Default |
---|---|---|---|
key | string | The name of the variable to check. | install_task |
value | mixed | The value of the variable | done |
Js Aggregation
Name: Drupal-7:JsAggregation
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\VariableCompare
With JS optimization disabled, your website visitors are experiencing slower page performance and the server load is increased.
Parameters
Name | Type | Description | Default |
---|---|---|---|
key | string | The name of the variable to check. | preprocess_js |
value | boolean | The value of the variable | 1 |
Missing modules
Name: Drupal-7:MissingModules
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\MissingModules
The warning was introduced in Drupal 7.50 and is displayed when Drupal is attempting to find a module or theme in the file system, but either cannot find it or does not find it in the expected place.
Modules enabled
Name: Drupal-7:ModulesEnabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModulesEnabled
Check that a set of modules are enabled.
Parameters
Name | Type | Description | Default |
---|---|---|---|
modules | array | The name of the modules to ensure is enabled. | - syslog |
No Administrators
Name: Drupal-7:NoAdmins
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\NoAdministrators
Ensure there are no administrators beyond uid:1. This reduces the surface area of escalated accounts being compromised.
Backup and Migrate is not installed
Name: Drupal-7:NoBackupAndMigrate
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled
With Backup and Migrate you can dump some or all of your database tables to a file download or save to a file on the server or offsite, and to restore from an uploaded or previously saved database dump. You can choose which tables and what data to backup and cache data is excluded by default. It is not advised to use this module in production if there are alternative options to obtain the same ends.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | backup_migrate |
Duplicate modules
Name: Drupal-7:NoDuplicateModules
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\DuplicateModules
Duplicate modules can cause a variety of strange behaviors should Drupal ever unexpectedly load the wrong version.
No Page Compression
Name: Drupal-7:NoPageCompression
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\VariableCompare
Drupal's Compress cached pages option (page_compression) can cause unexpected behavior when an external cache such as Varnish is employed, and typically provides no benefit. Therefore, Compress cached pages should be disabled
Parameters
Name | Type | Description | Default |
---|---|---|---|
key | string | The name of the variable to check. | page_compression |
value | boolean | The value of the variable | 0 |
Overlay module disabled
Name: Drupal-7:OverlayModuleDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled
The Drupal core overlay module can cause usability issues and prove to be problematic from a support perspective. It is recommended not to use this module.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is disabled. | overlay |
PSA-2016-003: Scan webform files for anon PDF uploads
Name: Drupal-7:PSA-2016-003
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\Security\WebformPSA_2016_003
This issue only affects sites that allow file uploads by non-trusted or anonymous visitors, and stores those uploads in a public file system. For more information, visit https://www.drupal.org/forum/newsletters/security-public-service-announcements/2016-10-10/drupal-file-upload-by-anonymous
Page Cache Control Max Age
Name: Drupal-7:PageCacheMaximumAge
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\VariableCompare
Ensure you page cache expiry is set to an optimal level for best performance.
Parameters
Name | Type | Description | Default |
---|---|---|---|
key | string | The name of the variable to check. | page_cache_maximum_age |
value | boolean | The value of the variable | 300 |
comp_type | string | The comparison operator to use | gte |
PHP
Name: Drupal-7:PhpModuleDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled
Enabling this module can cause security and performance issues as it allows users to execute PHP code on your site. There are better alternatives out there that do not expose such vulnerabilities on your site.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is disabled. | php |
Poor Mans Cron Disabled
Name: Drupal-7:PoorMansCronDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\VariableCompare
Checks that poor mans cron is disabled and will never run with a web thread.
Parameters
Name | Type | Description | Default |
---|---|---|---|
key | string | The name of the variable to check. | cron_safe_threshold |
value | boolean | The value of the variable | 0 |
CSS Aggregation
Name: Drupal-7:SA-CORE-2013-003
[View Source]
Package: drutiny/content
Class: \Drutiny\Audit\Drupal\ModuleVersion
SA-CORE-2013-003 announed several vulnerabilities and is considered highly critical. The vulnerabilities are:
- Multiple vulnerabilities due to optimistic cross-site request forgery protection (Form API validation): CVE-2013-6385
- Multiple vulnerabilities due to weakness in pseudorandom number generation using mt_rand() (Form API, OpenID and random password generation - Drupal 6 and 7): CVE-2013-6386
- Code execution prevention (Files directory .htaccess for Apache - Drupal 6 and 7): No CVE; considered remediated through "security hardening"
- Access bypass (Security token validation - Drupal 6 and 7): No CVE; considered remediated through "security hardening."
- Cross-site scripting (Image module - Drupal 7): CVE-2013-6387
- Cross-site scripting (Color module - Drupal 7): CVE-2013-6388
- Open redirect (Overlay module - Drupal 7): CVE-2013-6389
For more information, see SA-CORE-2013-003.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The module to version information for | system |
version | string | The static version to check against. | 7.24 |
Search404 module disabled
Name: Drupal-7:Search404ModuleDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled
The search 404 module conducts searches on 404 pages. This can have impacts to performance and confuse search bots.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is disabled. | search404 |
Search API Database
Name: Drupal-7:SearchApiDb
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\SearchApiDb
Search backed with the database (and not Solr) can cause performance impacts to your site. Often the SQL queries caused but using the database are slow.
Parameters
Name | Type | Description | Default |
---|---|---|---|
max_size | integer | The maximum size of nodes in the index before it is considered an error. | |
50 |
Secure Pages: HTTP Redirect
Name: Drupal-7:SecureHTTPRedirect
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\VariableCompare
Ensure secure pages module is configured to force redirect to HTTPS.
Parameters
Name | Type | Description | Default |
---|---|---|---|
key | string | The name of the variable to check. | securepages_pages |
value | string | The value of the variable | '*' |
Secure Pages Config: Enabled
Name: Drupal-7:SecurePagesConfig:Enabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\VariableCompare
To start using secure pages this setting must be enabled. This setting will only be able to changed when the web server has been configured for SSL.
Parameters
Name | Type | Description | Default |
---|---|---|---|
key | string | The name of the variable to check. | securepages_enable |
value | boolean | The value of the variable | 1 |
Secure Pages Config: No Downgrade
Name: Drupal-7:SecurePagesConfig:NoDowngrade
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\VariableCompare
Secure pages shouldn't be configured to allow downgrade to HTTP.
Parameters
Name | Type | Description | Default |
---|---|---|---|
key | string | The name of the variable to check. | securepages_switch |
value | boolean | The value of the variable | 0 |
Secure Pages Enabled
Name: Drupal-7:SecurePagesEnabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Audit\Drupal\ModuleEnabled
Secure Pages module ensures requests are handled securely.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is enabled. | securepages |
Secure Pages Listed
Name: Drupal-7:SecurePagesListed
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\VariableCompare
Enusre Secure Pages is configured to secure a whitelist of pages.
Parameters
Name | Type | Description | Default |
---|---|---|---|
key | string | The name of the variable to check. | securepages_secure |
value | boolean | The value of the variable | 1 |
Shield Disabled
Name: Drupal-7:ShieldModuleDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled
The shield module protects Drupal sites from prying eyes, often it is used to protect sites that are not yet live, but should never be enabled for live sites.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is disabled. | shield |
Simpletest
Name: Drupal-7:SimpletestModuleDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled
The Simpletest module is for testing purposes only and shouldn't be enabled in production.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is disabled. | simpletest |
Statistics
Name: Drupal-7:StatisticsModuleDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled
This module comes with Drupal core and attempts to track page view information. However as often Drupal uses upstream page cache proxies this module is often inccurate and not worth the performance impact it causes.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is disabled. | statistics |
Untrusted Roles with administrative permissions
Name: Drupal-7:UntrustedRoles
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\UntrustedRoles
Make sure administrative permissions has not been assigned to untrusted roles.
Parameters
Name | Type | Description | Default |
---|---|---|---|
untrusted_roles | array | The names of untrusted Roles. | - 'anonymous user' - 'authenticated user' |
Update
Name: Drupal-7:UpdateModuleDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled
The update module fetches the latest module information from Drupal.org and reports on the module statuses used on the site.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is disabled. | update |
User #1 Locked Down
Name: Drupal-7:User1LockDown
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\User1
It is important to lock down user #1 in Drupal, this user is special an ignores access control.
Parameters
Name | Type | Description | Default |
---|---|---|---|
blacklist | string | The usernames of the the uid:1 user that are considered forbidden. | |
Expression maybe a regular expression to match patterns. | |||
(admin | root | drupal | |
string | The email that the uid:1 user should have. If an empty string is provided | ||
then this check is omitted. | |||
no_reply@example.com | |||
status | boolean | Ensures the uid:1 user status reflects the same as this argument. Defaults | |
to active (1). | |||
1 |
User Registration Disabled
Name: Drupal-7:UserRegistrationDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\VariableCompare
Anonymous sites should have user registration set to off to prevent spam registrations.
Parameters
Name | Type | Description | Default |
---|---|---|---|
key | string | The name of the variable to check. | user_register |
value | boolean | The value of the variable | 0 |
Views Cache
Name: Drupal-7:ViewsCache
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ViewsCache
Ensure views cache is enabled and configured
Views Pagination
Name: Drupal-7:ViewsPagination
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ViewsPagination
Ensure views pagination is not over a threshold
Parameters
Name | Type | Description | Default |
---|---|---|---|
limit | integer | The maximum number of rows a view can list | 60 |
Views SQL Signature
Name: Drupal-7:ViewsSqlSignature
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\VariableCompare
Ensure that Views SQL queries contain a signature that will identify the view the SQL query came from. Useful for database performance debugging.
Parameters
Name | Type | Description | Default |
---|---|---|---|
key | string | The name of the variable to check. | views_sql_signature |
value | boolean | The value of the variable | 1 |
Views UI module is not installed
Name: Drupal-7:ViewsUIDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled
This module can impose a small performance penalty when enabled, and can allow the essential views required by your website to be modified.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | views_ui |
XML sitemap base URL
Name: Drupal-7:XMLSitemapBaseURL
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\VariableCompare
The XML sitemap module adds a sitemap on the URL /sitemap.xml
.
If not properly configured, the sitemap will point to an incorrect or
possibly broken site.
Parameters
Name | Type | Description | Default |
---|---|---|---|
key | string | The name of the variable to compare. | xmlsitemap_base_url |
value | mixed | The value to compare against | '^https?://.+$' |
comp_type | string | The comparison operator to use | regex |
required_modules | array | An optional array of modules required in order to check variables | xmlsitemap |
Zen rebuild registry disabled
Name: Drupal-7:ZenRegistryRebuild
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ZenRebuildRegistry
The rebuild registry feature is enabled for your theme. This setting is only used during theme development, and can negatively impact site performance.
APC is not installed
Name: Drupal-7:acquiaAPCDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled
Alternative PHP cache is not recommended on Acquia Cloud. It stores data on a per-server basis, which can lead to different data being served by different servers. It also uses memory that would otherwise be used by OPcache. We recommend using Memcachedinstead. It is recommended to disable and uninstall this module.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | apc |
Adaptive Image is not installed
Name: Drupal-7:acquiaAdaptiveImageDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled
Exercise some care when using this module because it may have issues storing image derivatives when caching is turned on. When this module is in use, users who visit a page directly after a cache clear will set the image size for that page and that image size is used for all visitors, regardless of what their browser is.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | adaptive_image |
Apache Solr File is not installed
Name: Drupal-7:acquiaApacheSolrFileDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled
Customers are unable to modify the solrconfig.xml file on Acquia Cloud. It is recommended to disable and uninstall this module.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | apachesolr_file |
Authcache is not installed
Name: Drupal-7:acquiaAuthcacheDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled
This requires an evaluation of performance issues versus application complexity. Caching pages or blocks is often a better option. This module can significantly increase the size of your page cache.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | authcache |
AutoSlave is not installed
Name: Drupal-7:acquiaAutoSlaveDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled
The Acquia Cloud platform is configured to auto-detect the primary and subordinate servers and handle failover situations. This module hardcodes the settings and can cause your server to read or write to the incorrect database. It is recommended to disable and uninstall this module.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | autoslave |
Bean is not installed
Name: Drupal-7:acquiaBeanDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled
Specifically, we recommend against the use of bean_entitycache. When combined with the Memcache module, its behavior is unpredictable, and its use can have a negative performance impact on your application.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | bean |
Boost is not installed
Name: Drupal-7:acquiaBoostDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled
This creates many disk writes, which can cause problems on shared servers. See Boost and Acquia Cloud for more details. It is recommended to disable and uninstall this module.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | boost |
CAS is not installed
Name: Drupal-7:acquiaCASDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled
Check the Check with the CAS server to see if the user is already logged in setting. This requires session cookies to be set, preventing Varnish® from caching pages. We suggest Bakery or SimpleSAML as an alternative.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | cas |
CloudFlare Purge is not installed
Name: Drupal-7:acquiaCFPurgeDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled
This module includes API limits that may prevent users from viewing updated content on your website. Instead, Acquia recommends the use of Acquia Purge. It is recommended to disable and uninstall this module.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | cfpurge |
CiviCRM is not installed
Name: Drupal-7:acquiaCiviCRMDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled
CiviCRM is dependent on stored procedures and triggers that do not work on the Acquia Cloud platform. It is recommended to disable and uninstall this module.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | civicrm |
Configuration Management is not installed
Name: Drupal-7:acquiaConfigMgmtDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled
This module requires a writeable directory that is also trackable at the same time by Git; this is not currently possible on Acquia Cloud. It is recommended to disable and uninstall this module.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | configuration |
Contact Importer is not installed
Name: Drupal-7:acquiaContactImporterDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled
Issue due to its reliance on Open Inviter. Create a symlink to your private files area.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | contact_importer |
DB Maintenance is not installed
Name: Drupal-7:acquiaDBMaintenanceDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled
Using this module improperly can potentially cause slowdowns or outages. If you believe that your application has tables that need optimizing, open a ticket with Acquia Support.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | db_maintenance |
Devinci is not installed
Name: Drupal-7:acquiaDevinciDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled
This module does not include settings for the Acquia Remote Administration environment.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | devinci |
Elysia Cron is not installed
Name: Drupal-7:acquiaElysiaCronDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled
Elysia Cron requires careful setup. Acquia Support has seen implementations of this module that call some hooks too frequently, causing performance problems significant enough to take a production application down.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | elysia_cron |
Filefield Sources is not installed
Name: Drupal-7:acquiaFilefieldSourcesDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled
Using this module on Acquia Cloud causes issues with Acquia Remote Administration services. If you are using this module, it conflicts with the Stage File proxy module, and you will not be able to see images on your RA environment.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | filefield_sources |
HTML Purifier is not installed
Name: Drupal-7:acquiaHTMLPurifierDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled
Create a symlink to your private files area.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | htmlpurifier |
HTTPRL is not installed
Name: Drupal-7:acquiaHTTPRLDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled
May require some special configuration to use on Acquia Cloud, or it can generate errors.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | httprl |
Lightweight Directory Access Protocol (LDAP) is not installed
Name: Drupal-7:acquiaLDAPDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled
LDAP alone without SSO can work on Acquia Cloud. SSO requires NTLM (NT LAN Manager) support, which is an Apache module that Acquia does not currently support.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | ldap |
Link Checker is not installed
Name: Drupal-7:acquiaLinkCheckerDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled
The Link Checker module can sometime cause timeouts when cron is run.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | linkchecker |
Node view count is not installed
Name: Drupal-7:acquiaNodeViewCountDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled
This statistics module can be configured to count each node visit, which can trigger multiple database writes. This behavior can cause serious performance issues with the database-use caution when configuring this on high traffic websites.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | nodeviewcount |
Optimize DB is not installed
Name: Drupal-7:acquiaOptimizeDBDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled
Using this module improperly can potentially cause slowdowns or outages. If you feel your site has tables that need optimizing, contact Acquia Support.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | optimizedb |
Print is not installed
Name: Drupal-7:acquiaPrintDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled
If not properly secured, this module can open up your application to being abused as a spam relay. If you use this module, be sure to configure it so that anonymous users cannot send email.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. |
Redirect 403 to User Login is not installed
Name: Drupal-7:acquiaR4032LoginDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled
This may cause issues with anonymous session cookies. Disable the Access denied. You must log in to view this page. check box in the module settings.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | r4032login |
Radioactivity is not installed
Name: Drupal-7:acquiaRadioactivityDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled
This module requires that memcache servers be hardcoded in a separate configuration file, which directly conflicts with Acquia’s high availability services. Acquia’s platform dynamically modifies available memcache servers, and hardcoded servers can cause application outages.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | radioactivity |
Search 404 is not installed
Name: Drupal-7:acquiaSearch404Disabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled
This useful module triggers a search when a user lands on a 404 page. This is best used with Fast 404 to prevent missing files from also triggering a search.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | search404 |
Serial is not installed
Name: Drupal-7:acquiaSerialDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled
Serial is based on an auto_increment of 1. Acquia Cloud uses an auto_increment of five. It is recommended to disable and uninstall this module.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | serial |
Shibboleth Authentication is not installed
Name: Drupal-7:acquiaShibAuthDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled
Shibboleth is not supported on Acquia Cloud. Other methods of achieving this functionality are SimpleSAMLphp or LDAP. It is recommended to disable and uninstall this module.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | shib_auth |
TCPDF is not installed
Name: Drupal-7:acquiaTCPDFDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled
Create a symlink to your private files area.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | tcpdf |
Varnish Module is not installed
Name: Drupal-7:acquiaVarnishModuleDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled
This Drupal module attempts to replicate the effort of the Varnish Cache that is already available to Acquia Cloud applications. It will not work with Acquia Cloud applications because it requires connections to the load balancers, which Acquia does not provide. The Varnish caching provided by Acquia works out of the box, as long as you use caching.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | varnish |
WURFL is not installed
Name: Drupal-7:acquiaWURFLDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled
Create a symlink to your private files area.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | wurfl |
WYSIWYG CKFinder is not installed
Name: Drupal-7:acquiaWYSIWYGCKFinderDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled
Create a symlink to your private files area.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | wysiwyg_ckfinder |
Workbench Moderation is not installed
Name: Drupal-7:acquiaWorkbenchModerationDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled
This module does not work out of the box with ApacheSolr search integration. Learn more about problems and a solution.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | workbench_moderation |
Block Cache Alter is not installed
Name: Drupal-7:blockcacheAlterDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled
This module causes issues with caching, and has not been updated in several years. It is not recommended for use. It is recommended to disable and uninstall this module.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | blockcache_alter |
EntityReference Autocomplete Performance
Name: Drupal-7:entityreference
[View Source]
Package: drutiny/content
Class: Drutiny\Plugin\Drupal7\Audit\EntityReferenceAutocomplete
Ensure that entity reference fields are configured correctly.
Facebook Connect is not installed
Name: Drupal-7:fbconnectDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled
Require session cookies to be set, preventing Varnish from caching pages. It is recommended to disable and uninstall this module.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | fbconnect |
File Cache with Gluster is not installed
Name: Drupal-7:fileCacheGlusterDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled
The File Cache module moves caching to Gluster, which can cause major load on the Gluster file system and can cause the site (or multiple sites in the case of shared hosting) to go down. It is recommended to disable and uninstall this module.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | filecache |
Views Global Filter is not installed
Name: Drupal-7:globalFilterDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled
Sets session cookies to filter views, which prevents Varnish from caching pages. It is recommended to disable and uninstall this module.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | global_filter |
H5P is not installed
Name: Drupal-7:h5pDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled
The H5P module sets session cookies for anonymous visitors utilizing pages that contain H5P elements. This results in all future requests for those anonymous users to bypass Varnish caching. It is recommended to disable and uninstall this module.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | h5p |
IP Geolocation is not installed
Name: Drupal-7:ipGeolocDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled
Require session cookies to be set, preventing Varnish from caching pages. It is recommended to disable and uninstall this module.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | ip_geoloc |
Memcache Storage is not installed
Name: Drupal-7:memcacheStorageDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled
Although not incompatible, it is discouraged to use this module’s due to its developer’s limited updates. Instead, encourage the use of the Memcache API and Integration module. It is recommended to disable and uninstall this module.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | memcache_storage |
Purge Module is not installed
Name: Drupal-7:purgeDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled
The Purge (7.x-1.x) module is not specifically incompatible, but can be difficult to set up correctly. We suggest using Acquia Purge instead. It is specifically intended for use on Acquia Cloud. Over time, these modules are planned to merge. It is recommended to disable and uninstall this module.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | purge |
reCAPTCHA is not installed
Name: Drupal-7:recaptchaDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled
The reCAPTCHA module requires session cookies to be set. This functionality prevents Varnish from caching pages. It is recommended to disable and uninstall this module.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | recaptcha |
Role Memory Limit is not installed
Name: Drupal-7:roleMemoryLimitDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled
This module overrides memory limits set in settings.php. It is recommended to disable and uninstall this module.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | role_memory_limit |
Session API is not installed
Name: Drupal-7:sessionAPIDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled
Requires session cookies to be set, preventing Varnish from caching pages. Session API sets cookies on the user. Because of this, cron can run intense queries to join the session and session_api tables. This can cause major slowdowns. It is recommended to disable and uninstall this module.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | session_api |
Session Cache API is not installed
Name: Drupal-7:sessionCacheDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled
This module is generally incompatible with Varnish caching. It may also cause file system performance issues. It is recommended to disable and uninstall this module.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | session_cache |
Smart IP is not installed
Name: Drupal-7:smartIPDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled
This module can be configured to set session cookies for anonymous users, making it incompatible with Varnish. It is recommended to disable and uninstall this module.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | smart_ip |
Super Cookie is not installed
Name: Drupal-7:supercookieDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled
Stores sessions outside of the session table, and sets no cache headers. This module is also incompatible with Varnish. It is recommended to disable and uninstall this module.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | supercookie |
TB Mega Menu is not installed
Name: Drupal-7:tbMegaMenuDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled
This module can cause performance problems for your website and is not covered by Drupal’s security policy. If it must be used, patch the module to reduce calls made to your website’s database. It is recommended to disable and uninstall this module.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | tb_megamenu |
Text Size is not installed
Name: Drupal-7:textSizeDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled
This module requires session cookies to be set, preventing Varnish from caching pages. It is recommended to disable and uninstall this module.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | textsize |
Views Filter Harmonizer is not installed
Name: Drupal-7:viewsFilterHarmonizerDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled
This module sets a SESSION cookie, preventing Varnish caching. It is recommended to disable and uninstall this module.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | filter_harmonizer |
Configuration development module is not installed
Name: Drupal-8:ConfigDevelDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled
This module helps with developing configuration. Do not deploy in production environments. Exercise caution and always use version control.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | config_devel |
Content Owned By Drupal's Anonymous User
Name: Drupal-8:ContentOwnedByAnonymous
[View Source]
Package: drutiny/content
Class: Drutiny\Audit\Drupal\SqlResultAudit
Content owned by a user that is not expected can pose a security risk whereby untrusted users might be able to include malicious code in content. If the unexpected user is "Anonymous", this could mean any site visitor could present a risk if they entered malicious code into content. This policy identifies if there are nodes owned by Drupal's Anonymous User.
Parameters
Name | Type | Description | Default |
---|---|---|---|
query | string | The SQL query to run. Can use other parameters for variable replacement. | 'SELECT COUNT(*) as frequency, type FROM node_field_data WHERE uid = 0 GROUP BY TYPE;' |
expression | string | An expression language expression to evaluate a successful auditable outcome. | 'count < 1' |
Cron last run
Name: Drupal-8:CronHasRun
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\CronHasRun
Cron should be run regularly to ensure that scheduled events are processed in a timely manner.
Parameters
Name | Type | Description | Default |
---|---|---|---|
cron_max_interval | integer | The maximum number in seconds alloweds since last cron run | 86400 |
Cron running regularly
Name: Drupal-8:CronLast
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\CronLast
Making sure the cron jobs are running properly is key to a healthy Drupal site.
CSS aggregation is enabled
Name: Drupal-8:CssAggregation
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ConfigCheck
With CSS optimization not installed your website visitors are experiencing slower page performance and the server load is increased.
Parameters
Name | Type | Description | Default |
---|---|---|---|
collection | string | The config collection the config item belows to | system.performance |
key | string | css.preprocess | |
value | boolean | true |
Database logging is not installed
Name: Drupal-8:DblogDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled
The Drupal core databse logging module can cause database performance issues in production. It is recommended to disable and uninstall this module. Use the syslog module in its place.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | dblog |
Memcache set as default cache backend
Name: Drupal-8:DefaultCacheMemcache
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\SettingCompare
Ensure the majority of your application caching is driven through Memcache by setting it as the default backend (usually opposed to using the database).
Memcache is a better service for cache storage over the database as it decouples cache performance from database load. This means slow queries will not impact cache performance (beyond any shared resourcing between the services).
Parameters
Name | Type | Description | Default |
---|---|---|---|
key | string | The key in settings.php to check. Use dot syntax to traverse settings array. | |
cache.default | |||
value | string | The value that should be set if the settings key exists. | |
cache.backend.memcache |
Devel module is not installed
Name: Drupal-8:DevelDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled
A suite of modules containing fun for module developers and themers. Not recommended for production use.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | devel |
No duplicate modules found
Name: Drupal-8:DuplicateModules
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\DuplicateModules
Duplicate modules can cause a variety of strange behaviors should Drupal ever unexpectedly load the wrong version.
Hide errors from screen (log only)
Name: Drupal-8:ErrorLevel
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ConfigCheck
When PHP encounters an error, it can generate an error log and display a report on the screen. While these error messages can be helpful in debugging your site, they can be a security risk on a live site as they may reveal information about your server that can be used to compromise it.
Parameters
Name | Type | Description | Default |
---|---|---|---|
collection | string | The collection the config belongs to. | system.logging |
key | string | The key the config belongs to. | error_level |
value | mixed | The value to compare against the retrived value. | hide |
Core Fast 404 Enabled
Name: Drupal-8:Fast404Enabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ConfigCheck
Core's fast 404 configuration allows Drupal to spend little time on 404 error pages that match the Fast 404 criteria.
Parameters
Name | Type | Description | Default |
---|---|---|---|
collection | string | The collection the config belongs to. | system.performance |
key | string | The key the config belongs to. | fast_404.enabled |
value | mixed | The value to compare against the retrived value. | true |
Javascript aggregation
Name: Drupal-8:JsAggregation
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ConfigCheck
With Javascript aggregation not installed your website visitors are experiencing slower page performance especially on slower networks.
Parameters
Name | Type | Description | Default |
---|---|---|---|
collection | string | The collection the config belongs to. | system.performance |
key | string | The key the config belongs to. | js.preprocess |
value | mixed | The value to compare against the retrived value. | true |
Kint module is not installed
Name: Drupal-8:KintDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled
Kint for PHP is a tool designed to present your debugging data in the absolutely best way possible. In other words, it's var_dump() and debug_backtrace() on steroids. Easy to use, but powerful and customizable. An essential addition to your development toolbox. Should not be used in production.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | kint |
Memcache module enabled
Name: Drupal-8:MemcacheEnabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Audit\Drupal\ModuleEnabled
This module provides integration between Drupal and Memcached with the following features:
- An API for using Memcached and the PECL Memcache or Memcached libraries with Drupal.
- Memcache backends for the following systems (all drop-in): Caching Locking
- A module that provides a comprehensive administrative overview of Drupal's interaction with Memcached and stats.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is enabled. | memcache |
Memcache extension set
Name: Drupal-8:MemcachedExtension
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\SettingCompare
In order for the memcache module to work, the php memcached extension must be available on the runtime environment. In addition, when using PHP 5.6, Drupal must tell the memcache module to use the memcached extension (opposed to the memcache extension).
Parameters
Name | Type | Description | Default |
---|---|---|---|
key | string | The key in settings.php to check. Use dot syntax to traverse settings array. | |
memcache.extension | |||
value | string | The value that should be set if the settings key exists. | |
Memcached |
Automated Cron module is not installed
Name: Drupal-8:NoAutomatedCron
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled
The automated cron module will hijack page requests in order to run cron. This has a performance impact for end users who are unlucky being burdened with the task without consent and unknowingly.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The module to check is enabled. | automated_cron |
Backup and Migrate is not installed
Name: Drupal-8:NoBackupAndMigrate
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled
With Backup and Migrate you can dump some or all of your database tables to a file download or save to a file on the server or offsite, and to restore from an uploaded or previously saved database dump. You can choose which tables and what data to backup and cache data is excluded by default. It is not advised to use this module in production if there are alternative options to obtain the same ends.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | backup_migrate |
No Experimental Modules in Use
Name: Drupal-8:NoExperimental
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\NoExperimentalCore
Drupal 8 core introduces the concept of experimental modules. These are modules that are provided with Drupal core for testing purposes, but that are not yet fully supported. Experimental modules are included in the Core (Experimental) package on the Extend page of a Drupal site (/admin/modules).
More information at https://www.drupal.org/core/experimental
Drupal Page cache expiry is set
Name: Drupal-8:PageCacheExpiry
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ConfigCheck
Page cache expiry informs upstream proxies such as Varnish and CDNs how long they may cache a page response before it should be considered stale and refetched from Drupal.
Parameters
Name | Type | Description | Default |
---|---|---|---|
collection | string | The collection the config belongs to. | system.performance |
key | string | The key the config belongs to. | cache.page.max_age |
value | integer | The number of seconds page cache should be considered valid for. | 3600 |
comp_type | string | The type of comparison to conduct. Defaults to equals. See Drutiny\Audit\AbstractComparison | '>=' |
PHP module is not installed
Name: Drupal-8:PhpDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled
Enabling this module can cause security and performance issues as it allows users to execute PHP code on your site. There are better alternatives out there that do not expose such vulnerabilities on your site.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | php |
Purge module enabled
Name: Drupal-8:PurgeEnabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Audit\Drupal\ModuleEnabled
Purge modules integrates other services into Drupal's caching strategy
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is enabled. | purge |
Shield module is not installed
Name: Drupal-8:ShieldDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled
The shield module protects Drupal sites from prying eyes, often it is used to protect sites that are not yet live, but should never be enabled for live sites.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The module to check is enabled. | shield |
Simpletest module is not installed
Name: Drupal-8:SimpleTestDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled
The Simpletest module is for testing purposes only and shouldn't be enabled in production.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | simpletest |
Statistics module is not installed
Name: Drupal-8:StatisticsDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled
This module comes with Drupal core and attempts to track page view information. However as often Drupal uses upstream page cache proxies this module is often inccurate and not worth the performance impact it causes.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | statistics |
Untrusted Roles with administrative permissions
Name: Drupal-8:UntrustedRoles
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\UntrustedRoles
Make sure administrative permissions has not been assigned to untrusted roles.
Parameters
Name | Type | Description | Default |
---|---|---|---|
untrusted_roles | array | The untrusted Roles. | - anonymous - authenticated |
Unused modules in the codebase
Name: Drupal-8:UnusedModules
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\UnusedModules
Update module is not installed
Name: Drupal-8:UpdateDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled
The update module fetches the latest module information from Drupal.org and reports on the module statuses used on the site.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | update |
Administrator login is locked down (uid:1)
Name: Drupal-8:User1LockDown
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\User1
It is important to lock down user #1 in Drupal, this user is special an ignores access control.
Parameters
Name | Type | Description | Default |
---|---|---|---|
blacklist | string | The usernames of the the uid:1 user that are considered forbidden. | |
Expression maybe a regular expression to match patterns. | |||
(admin | root | drupal | |
string | The email that the uid:1 user should have. If an empty string is provided | ||
then this check is omitted. | |||
no_reply@example.com | |||
status | boolean | Ensures the uid:1 user status reflects the same as this argument. Defaults | |
to active (1). | |||
1 |
User registration available to administrators only
Name: Drupal-8:UserRegistrationAdminOnly
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ConfigCheck
Anonymous sites should have user registration set to off to prevent spam registrations
Parameters
Name | Type | Description | Default |
---|---|---|---|
collection | string | The collection the config belongs to. | user.settings |
key | string | The key the config belongs to. | register |
value | mixed | The value to compare against the retrived value. | admin_only |
Views UI module is not installed
Name: Drupal-8:ViewsUIDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled
This module can impose a small performance penalty when enabled, and can allow the essential views required by your website to be modified.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | views_ui |
Webprofiler module is not installed
Name: Drupal-8:WebprofilerDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled
The web profiler is a developer module to help profile a PHP page load.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | webprofiler |
APC is not installed
Name: Drupal-8:acquiaAPCDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled
Alternative PHP cache is not recommended on Acquia Cloud. It stores data on a per-server basis, which can lead to different data being served by different servers. It also uses memory that would otherwise be used by OPcache. We recommend using Memcachedinstead. It is recommended to disable and uninstall this module.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | apc |
Apache Solr File is not installed
Name: Drupal-8:acquiaApacheSolrFileDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled
Customers are unable to modify the solrconfig.xml file on Acquia Cloud. It is recommended to disable and uninstall this module.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | apachesolr_file |
AutoSlave is not installed
Name: Drupal-8:acquiaAutoSlaveDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled
The Acquia Cloud platform is configured to auto-detect the primary and subordinate servers and handle failover situations. This module hardcodes the settings and can cause your server to read or write to the incorrect database. It is recommended to disable and uninstall this module.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | autoslave |
Boost is not installed
Name: Drupal-8:acquiaBoostDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled
This creates many disk writes, which can cause problems on shared servers. See Boost and Acquia Cloud for more details. It is recommended to disable and uninstall this module.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | boost |
CAS is not installed
Name: Drupal-8:acquiaCASDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled
Check the Check with the CAS server to see if the user is already logged in setting. This requires session cookies to be set, preventing Varnish® from caching pages. We suggest Bakery or SimpleSAML as an alternative.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | cas |
CloudFlare Purge is not installed
Name: Drupal-8:acquiaCFPurgeDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled
This module includes API limits that may prevent users from viewing updated content on your website. Instead, Acquia recommends the use of Acquia Purge. It is recommended to disable and uninstall this module.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | cfpurge |
CiviCRM is not installed
Name: Drupal-8:acquiaCiviCRMDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled
CiviCRM is dependent on stored procedures and triggers that do not work on the Acquia Cloud platform. It is recommended to disable and uninstall this module.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | civicrm |
Configuration Management is not installed
Name: Drupal-8:acquiaConfigMgmtDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled
This module requires a writeable directory that is also trackable at the same time by Git; this is not currently possible on Acquia Cloud. It is recommended to disable and uninstall this module.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | configuration |
DB Maintenance is not installed
Name: Drupal-8:acquiaDBMaintenanceDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled
Using this module improperly can potentially cause slowdowns or outages. If you believe that your application has tables that need optimizing, open a ticket with Acquia Support.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | db_maintenance |
Devinci is not installed
Name: Drupal-8:acquiaDevinciDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled
This module does not include settings for the Acquia Remote Administration environment.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | devinci |
Dropzone JS is not installed
Name: Drupal-8:acquiaDropzoneJSDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled
When uploading files with the dropzonejs module (included with Lightning)
to an application with multiple web servers served by a single load
balancer, the web server that processes the form submission may not be
the web server that received the temporary file in the AJAX request.
Upload files through the /media/add
interface instead.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | dropzonejs |
Filefield Sources is not installed
Name: Drupal-8:acquiaFilefieldSourcesDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled
Using this module on Acquia Cloud causes issues with Acquia Remote Administration services. If you are using this module, it conflicts with the Stage File proxy module, and you will not be able to see images on your RA environment.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | filefield_sources |
HTML Purifier is not installed
Name: Drupal-8:acquiaHTMLPurifierDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled
Create a symlink to your private files area.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | htmlpurifier |
Lightweight Directory Access Protocol (LDAP) is not installed
Name: Drupal-8:acquiaLDAPDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled
LDAP alone without SSO can work on Acquia Cloud. SSO requires NTLM (NT LAN Manager) support, which is an Apache module that Acquia does not currently support.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | ldap |
Link Checker is not installed
Name: Drupal-8:acquiaLinkCheckerDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled
The Link Checker module can sometime cause timeouts when cron is run.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | linkchecker |
Node view count is not installed
Name: Drupal-8:acquiaNodeViewCountDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled
This statistics module can be configured to count each node visit, which can trigger multiple database writes. This behavior can cause serious performance issues with the database-use caution when configuring this on high traffic websites.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | nodeviewcount |
Optimize DB is not installed
Name: Drupal-8:acquiaOptimizeDBDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled
Using this module improperly can potentially cause slowdowns or outages. If you feel your site has tables that need optimizing, contact Acquia Support.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | optimizedb |
Redirect 403 to User Login is not installed
Name: Drupal-8:acquiaR4032LoginDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled
This may cause issues with anonymous session cookies. Disable the Access denied. You must log in to view this page. check box in the module settings.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | r4032login |
Radioactivity is not installed
Name: Drupal-8:acquiaRadioactivityDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled
This module requires that memcache servers be hardcoded in a separate configuration file, which directly conflicts with Acquia’s high availability services. Acquia’s platform dynamically modifies available memcache servers, and hardcoded servers can cause application outages.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | radioactivity |
Search 404 is not installed
Name: Drupal-8:acquiaSearch404Disabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled
This useful module triggers a search when a user lands on a 404 page. This is best used with Fast 404 to prevent missing files from also triggering a search.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | search404 |
Serial is not installed
Name: Drupal-8:acquiaSerialDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled
Serial is based on an auto_increment of 1. Acquia Cloud uses an auto_increment of five. It is recommended to disable and uninstall this module.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | serial |
Shibboleth Authentication is not installed
Name: Drupal-8:acquiaShibAuthDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled
Shibboleth is not supported on Acquia Cloud. Other methods of achieving this functionality are SimpleSAMLphp or LDAP. It is recommended to disable and uninstall this module.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | shib_auth |
TCPDF is not installed
Name: Drupal-8:acquiaTCPDFDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled
Create a symlink to your private files area.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | tcpdf |
Varnish Module is not installed
Name: Drupal-8:acquiaVarnishModuleDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled
This Drupal module attempts to replicate the effort of the Varnish Cache that is already available to Acquia Cloud applications. It will not work with Acquia Cloud applications because it requires connections to the load balancers, which Acquia does not provide. The Varnish caching provided by Acquia works out of the box, as long as you use caching.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | varnish |
WURFL is not installed
Name: Drupal-8:acquiaWURFLDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled
Create a symlink to your private files area.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | wurfl |
Workbench Moderation is not installed
Name: Drupal-8:acquiaWorkbenchModerationDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled
This module does not work out of the box with ApacheSolr search integration. Learn more about problems and a solution.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | workbench_moderation |
Block Cache Alter is not installed
Name: Drupal-8:blockcacheAlterDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled
This module causes issues with caching, and has not been updated in several years. It is not recommended for use. It is recommended to disable and uninstall this module.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | blockcache_alter |
Facebook Connect is not installed
Name: Drupal-8:fbconnectDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled
Require session cookies to be set, preventing Varnish from caching pages. It is recommended to disable and uninstall this module.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | fbconnect |
File Cache is not installed
Name: Drupal-8:fileCacheDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled
The File Cache module moves caching to Gluster, which can cause major load on the Gluster file system and can cause the site (or multiple sites in the case of shared hosting) to go down. It is recommended to disable and uninstall this module.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | filecache |
Views Global Filter is not installed
Name: Drupal-8:globalFilterDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled
Sets session cookies to filter views, which prevents Varnish from caching pages. It is recommended to disable and uninstall this module.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | global_filter |
H5P is not installed
Name: Drupal-8:h5pDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled
The H5P module sets session cookies for anonymous visitors utilizing pages that contain H5P elements. This results in all future requests for those anonymous users to bypass Varnish caching. It is recommended to disable and uninstall this module.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | h5p |
Honeypot Time Limit
Name: Drupal-8:honeypotTimeLimit
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ConfigCheck
This module has a time-based session variable that can make pages uncacheable by Drupal or Varnish caches. This setting should be configured to be disabled.
Parameters
Name | Type | Description | Default |
---|---|---|---|
collection | string | The collection the config belongs to. | honeypot.settings |
key | string | The key the config belongs to. | time_limit |
value | mixed | The value to compare against the retrived value. | 0 |
IP Geolocation is not installed
Name: Drupal-8:ipGeolocDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled
Require session cookies to be set, preventing Varnish from caching pages. It is recommended to disable and uninstall this module.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | ip_geoloc |
Memcache Storage is not installed
Name: Drupal-8:memcacheStorageDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled
Although not incompatible, it is discouraged to use this module’s due to its developer’s limited updates. Instead, encourage the use of the Memcache API and Integration module. It is recommended to disable and uninstall this module.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | memcache_storage |
Page Cache module is not installed
Name: Drupal-8:pageCacheDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled
Drupal's default page caching module should be disabled when a 3rd party page cache is used instead.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | page_cache |
reCAPTCHA is not installed
Name: Drupal-8:recaptchaDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled
The reCAPTCHA module requires session cookies to be set. This functionality prevents Varnish from caching pages. It is recommended to disable and uninstall this module.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | recaptcha |
Role Memory Limit is not installed
Name: Drupal-8:roleMemoryLimitDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled
This module overrides memory limits set in settings.php. It is recommended to disable and uninstall this module.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | role_memory_limit |
Session API is not installed
Name: Drupal-8:sessionAPIDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled
Requires session cookies to be set, preventing Varnish from caching pages. Session API sets cookies on the user. Because of this, cron can run intense queries to join the session and session_api tables. This can cause major slowdowns. It is recommended to disable and uninstall this module.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | session_api |
Session Cache API is not installed
Name: Drupal-8:sessionCacheDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled
This module is generally incompatible with Varnish caching. It may also cause file system performance issues. It is recommended to disable and uninstall this module.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | session_cache |
Smart IP is not installed
Name: Drupal-8:smartIPDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled
This module can be configured to set session cookies for anonymous users, making it incompatible with Varnish. It is recommended to disable and uninstall this module.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | smart_ip |
Super Cookie is not installed
Name: Drupal-8:supercookieDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled
Stores sessions outside of the session table, and sets no cache headers. This module is also incompatible with Varnish. It is recommended to disable and uninstall this module.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | supercookie |
TB Mega Menu is not installed
Name: Drupal-8:tbMegaMenuDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled
This module can cause performance problems for your website and is not covered by Drupal’s security policy. If it must be used, patch the module to reduce calls made to your website’s database. It is recommended to disable and uninstall this module.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | tb_megamenu |
Text Size is not installed
Name: Drupal-8:textSizeDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled
This module requires session cookies to be set, preventing Varnish from caching pages. It is recommended to disable and uninstall this module.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | textsize |
Views Filter Harmonizer is not installed
Name: Drupal-8:viewsFilterHarmonizerDisabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Plugin\Drupal8\Audit\ModuleDisabled
This module sets a SESSION cookie, preventing Varnish caching. It is recommended to disable and uninstall this module.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is not installed. | filter_harmonizer |
Anonymous sessions
Name: Drupal:AnonSession
[View Source]
Package: drutiny/content
Class: Drutiny\Audit\Drupal\SqlResultAudit
If you are generating sessions for anonymous users, you are causing a major performance impact to your site. Having anonymous sessions will break traditional page caching in Varnish and CDNs.
Parameters
Name | Type | Description | Default |
---|---|---|---|
expression | string | An expression language expression to evaluate a successful auditable outcome. | 'count == 0' |
query | string | The SQL query to run. Can use other parameters for variable replacement. | "SELECT session, FROM_UNIXTIME(timestamp) as date FROM sessions\nWHERE uid = 0\n AND session NOT LIKE 'openid%'\n AND session NOT LIKE '%Access denied%'\nORDER BY timestamp DESC\nLIMIT 1000\n" |
Lint PHP files in Theme
Name: Drupal:LintTheme
[View Source]
Package: drutiny/content
Class: Drutiny\Audit\Drupal\PhpLint
Ensure all PHP files in the theme pass basic PHP syntax parsing.
Parameters
Name | Type | Description | Default |
---|---|---|---|
path | string | The path where to lint PHP files. | '%root/%themes' |
User Enumeration
Name: Drupal:Security:UserEmueration
[View Source]
Package: drutiny/content
Class: Drutiny\Audit\Drupal\ModuleEnabled
User enumeration is when a malicious actor can use brute-force to either guess or confirm valid users in a system. User enumeration is often a web application vulnerability, though it can also be found in any system that requires user authentication. Two of the most common areas where user enumeration occurs are in a site's login page and its ‘Forgot Password' functionality.
User enumeration is a default vulnerability in Drupal but can be mitigated through the use of the Username Enumeration Prevention module.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The module to check is enabled. | username_enumeration_prevention |
Syslog
Name: Drupal:SyslogEnabled
[View Source]
Package: drutiny/content
Class: \Drutiny\Audit\Drupal\ModuleEnabled
Syslog module writes Drupal watchdog logs to the syslog.
Parameters
Name | Type | Description | Default |
---|---|---|---|
module | string | The name of the module to ensure is enabled. | syslog |
Drupal Theme Security & Performance
Name: Drupal:ThemeSecurity
[View Source]
Package: drutiny/content
Class: Drutiny\Audit\Filesystem\CodeScan
Some basic checks to ensure that the theme is not doing any seriously bad things. Note this is not supposed to be perfect, but used as an aid in code review.
Parameters
Name | Type | Description | Default |
---|---|---|---|
directory | string | Absolute filepath to directory to scan | '%root/%themes' |
filetypes | array | file extensions to include in the scan | - php - inc - theme |
patterns | array | patterns to run over each matching file. | - POST - exec( - db_query - db_select - db_merge - db_update - db_write_record - ->query - drupal_http_request - curl_init - passthru - proc_open - system( - sleep( - mysql - mysqli - sqlite - db_query - db_fetch - db_result - pager_query - db_set_active - db_select - db_insert - db_update - db_delete - fetchAll - fetchField - fetchObject - fetchAssoc - countQuery |
Large Drupal Files
Name: Drupal:largeFiles
[View Source]
Package: drutiny/content
Class: \Drutiny\Audit\Drupal\LargeDrupalFiles
Large static assets should be optimized for online display or ideally be housed in other services, e.g. Amazon S3 (for files) or Youtube (for videos). Storing large files can consume storage volumes, increase page load time and contribute to a higher than desired cache eviction rate. Varnish, on Acquia Cloud, does not cache files larger than 10 MB.
This policy identifies files managed by Drupal that are larger than .
Parameters
Name | Type | Description | Default |
---|---|---|---|
max_size | integer | Report files larger than this value measured in bytes. | 10000000 |
Module updates
Name: Drupal:moduleUpdates
[View Source]
Package: drutiny/content
Class: \Drutiny\Audit\Drupal\ModuleUpdateStatus
Throughout the lifetime of your site, the Drupal project and its community contributed modules will release new versions that contain bug fixes, new features and security updates. It important to keep your site up to date and patched from known security vulnerabilities.
Note that upgrading modules, especially between major versions can introduce regressions into your site. While its important to maintain a continual update schedule for your site, regression testing changes is of equal importance.
Database updates
Name: Drupal:updates
[View Source]
Package: drutiny/content
Class: \Drutiny\Audit\Drupal\UpdateDBStatus
Updates to Drupal core or contrib modules sometimes include important database changes which should be applied after the code updates have been deployed.
HTTP Authorization Disabled
Name: HTTP:Authorization
[View Source]
Package: drutiny/content
Class: \Drutiny\Http\Audit\HttpHeaderNotExists
The HTTP Authorization request header contains the credentials to authenticate a user agent with a server, usually after the server has responded with a 401 Unauthorized status and the WWW-Authenticate header.
Authorization headers can bypass page caching strategies which can detrack from performance.
Parameters
Name | Type | Description | Default |
---|---|---|---|
header | string | The HTTP header to check the value of. | Authorization |
HTTP Cache-Control
Name: HTTP:Cache-Control
[View Source]
Package: drutiny/content
Class: \Drutiny\Http\Audit\HttpHeaderRegex
Cache-Control header informs reverse proxies and browsers how to cache your
web page for performance reasons. A cacheable page should also contain the
max-age directive. E.g. max-age=600; public
.
Parameters
Name | Type | Description | Default |
---|---|---|---|
header | string | The HTTP header to check the value of. | Cache-Control |
regex | string | A regular expressions to validate the header value against. | max-age= |
HTTP Content-Security-Policy
Name: HTTP:Content-Security-Policy
[View Source]
Package: drutiny/content
Class: \Drutiny\Http\Audit\HttpHeaderExists
Content Security Policy is an effective measure to protect your site from XSS attacks. By whitelisting sources of approved content, you can prevent the browser from loading malicious assets.
Parameters
Name | Type | Description | Default |
---|---|---|---|
header | string | The HTTP header to check the value of. | Content-Security-Policy |
Force HTTPS
Name: HTTP:ForceHTTPS
[View Source]
Package: drutiny/content
Class: \Drutiny\Http\Audit\HttpsRedirect
Ensure attempts to http redirect the user to an HTTPS URL. This ensures no content is ever served over an insecure connection which is considered a best practice.
HTTP HSTS
Name: HTTP:HSTS
[View Source]
Package: drutiny/content
Class: \Drutiny\Http\Audit\HttpHeaderExists
HTTP Strict Transport Security is an excellent feature to support on your site and strengthens your implementation of TLS by getting the User Agent to enforce the use of HTTPS.
Parameters
Name | Type | Description | Default |
---|---|---|---|
header | string | The HTTP header to check the value of. | Strict-Transport-Security |
HTTP Referrer Policy
Name: HTTP:ReferrerPolicy
[View Source]
Package: drutiny/content
Class: \Drutiny\Http\Audit\HttpHeaderExists
Referrer Policy is a header that allows a site to control how much information the browser includes with navigations away from a document and should be set by all sites.
Parameters
Name | Type | Description | Default |
---|---|---|---|
header | string | The HTTP header to check the value of. | Referrer-Policy |
HTTPS Valid SSL Certificate
Name: HTTP:ValidSSL
[View Source]
Package: drutiny/content
Class: \Drutiny\Http\Audit\HttpStatusCode
Ensure https requests over a valid SSL connection. This validates the SSL certficiate and chain authority to ensure browsers will also be able to trust this connection.
Parameters
Name | Type | Description | Default |
---|---|---|---|
force_ssl | true |
HTTP X-Content-Type-Options
Name: HTTP:X-Content-Type-Options
[View Source]
Package: drutiny/content
Class: \Drutiny\Http\Audit\HttpHeaderMatch
X-Content-Type-Options
stops a browser from trying to MIME-sniff the content type and forces it to
stick with the declared content-type. The only valid value for this header is
X-Content-Type-Options: nosniff
.
Parameters
Name | Type | Description | Default |
---|---|---|---|
header | string | The HTTP header to check the value of. | X-Content-Type-Options |
header_value | string | The value to check against. | nosniff |
X-Drupal-Cache-Tags Header Disabled
Name: HTTP:X-Drupal-Cache-Tags
[View Source]
Package: drutiny/content
Class: \Drutiny\Http\Audit\HttpHeaderNotExists
X-Drupal-Cache-Tags is a debugging HTTP header Drupal sends to inform developers what cache tags are being utilised in an HTTP response. The header can be high verbosity on responses that use a lot of entities from both content and configuration.
This header should only be used in local development or in environment specific debugging.
Parameters
Name | Type | Description | Default |
---|---|---|---|
header | string | The HTTP header to check the value of. | X-Drupal-Cache-Tags |
HTTP X-Frame-Options
Name: HTTP:X-Frame-Options
[View Source]
Package: drutiny/content
Class: \Drutiny\Http\Audit\HttpHeaderExists
X-Frame-Options tells the browser whether you want to allow your site to be framed or not. By preventing a browser from framing your site you can defend against attacks like clickjacking.
Parameters
Name | Type | Description | Default |
---|---|---|---|
header | string | The HTTP header to check the value of. | X-Frame-Options |
HTTP X-XSS-Protection
Name: HTTP:X-XSS-Protection
[View Source]
Package: drutiny/content
Class: \Drutiny\Http\Audit\HttpHeaderMatch
X-XSS-Protection
sets the configuration for the cross-site scripting filters built into most
browsers. The best configuration is X-XSS-Protection: 1; mode=block
.
Parameters
Name | Type | Description | Default |
---|---|---|---|
header | string | The HTTP header to check the value of. | X-XSS-Protection |
header_value | string | The value to check against. | '1; mode=block' |
Chrome distrusted Symantec PKI
Name: SSL:DistrustedSymantecPKI
[View Source]
Package: drutiny/content
Class: \Drutiny\Http\Audit\SslAssertion
At the end of July 2018, the Chrome team and PKI community plan to reduce, and remove, trust in Symantec’s infrastructure in order to uphold users’ security and privacy when browsing the web. SSL/TLS certificates from the Legacy Symantec PKI issued after December 1, 2017 will no longer be trusted.
Parameters
Name | Type | Description | Default |
---|---|---|---|
expression | string | The expression language to evaludate. See https://symfony.com/doc/current/components/expression_language/syntax.html | "not (cert[\"issuer\"][\"O\"] in [\"DigiCert Inc\", \"thawte, Inc.\", \"GeoTrust Inc.\"]\nand cert[\"validFrom_time_t\"] < 1512039600)\n" |
Always error test policy
Name: Test:Error
[View Source]
Package: drutiny/content
Class: \Drutiny\Audit\AlwaysError
This policy should always error. Twee godard poutine knausgaard, street art keytar readymade unicorn wayfarers vape mumblecore blue bottle. Portland pitchfork air plant kale chips, craft beer meditation tumeric seitan umami vexillologist cred coloring book taxidermy actually.
Banjo narwhal la croix portland green juice lumbersexual biodiesel kombucha vegan umami aesthetic trust fund ramps. Art party +1 celiac everyday carry succulents seitan franzen distillery venmo keytar cray mustache gastropub. 8-bit seitan banh mi, vice chillwave viral synth vinyl +1. Mixtape mustache pitchfork, meh tacos kitsch offal pop-up intelligentsia VHS air plant pork belly. Thundercats microdosing taxidermy try-hard +1 ennui photo booth 8-bit.
Always fail test policy
Name: Test:Fail
[View Source]
Package: drutiny/content
Class: \Drutiny\Audit\AlwaysFail
This policy should always fail. Twee godard poutine knausgaard, street art keytar readymade unicorn wayfarers vape mumblecore blue bottle. Portland pitchfork air plant kale chips, craft beer meditation tumeric seitan umami vexillologist cred coloring book taxidermy actually.
Banjo narwhal la croix portland green juice lumbersexual biodiesel kombucha vegan umami aesthetic trust fund ramps. Art party +1 celiac everyday carry succulents seitan franzen distillery venmo keytar cray mustache gastropub. 8-bit seitan banh mi, vice chillwave viral synth vinyl +1. Mixtape mustache pitchfork, meh tacos kitsch offal pop-up intelligentsia VHS air plant pork belly. Thundercats microdosing taxidermy try-hard +1 ennui photo booth 8-bit.
Irrelevant test policy
Name: Test:Irrelevant
[View Source]
Package: drutiny/content
Class: \Drutiny\Audit\AlwaysFail
This policy should always be not applicable. Twee godard poutine knausgaard, keytar readymade unicorn wayfarers vape mumblecore blue bottle. Portland pitchfork air plant kale chips, craft beer meditation tumeric seitan umami vexillologist cred coloring book taxidermy actually.
Banjo narwhal la croix portland green juice lumbersexual biodiesel kombucha vegan umami aesthetic trust fund ramps. Art party +1 celiac everyday carry succulents seitan franzen distillery venmo keytar cray mustache gastropub. 8-bit seitan banh mi, vice chillwave viral synth vinyl +1. Mixtape mustache pitchfork, meh tacos kitsch offal pop-up intelligentsia VHS air plant pork belly. Thundercats microdosing taxidermy try-hard +1 ennui photo booth 8-bit.
Not applicable test policy
Name: Test:NA
[View Source]
Package: drutiny/content
Class: \Drutiny\Audit\AlwaysNA
This policy should always be not applicable. Twee godard poutine knausgaard, keytar readymade unicorn wayfarers vape mumblecore blue bottle. Portland pitchfork air plant kale chips, craft beer meditation tumeric seitan umami vexillologist cred coloring book taxidermy actually.
Banjo narwhal la croix portland green juice lumbersexual biodiesel kombucha vegan umami aesthetic trust fund ramps. Art party +1 celiac everyday carry succulents seitan franzen distillery venmo keytar cray mustache gastropub. 8-bit seitan banh mi, vice chillwave viral synth vinyl +1. Mixtape mustache pitchfork, meh tacos kitsch offal pop-up intelligentsia VHS air plant pork belly. Thundercats microdosing taxidermy try-hard +1 ennui photo booth 8-bit.
Always notice test policy
Name: Test:Notice
[View Source]
Package: drutiny/content
Class: \Drutiny\Audit\AlwaysNotice
This policy should always be a notice. Twee godard poutine knausgaard, street keytar readymade unicorn wayfarers vape mumblecore blue bottle. Portland pitchfork air plant kale chips, craft beer meditation tumeric seitan umami vexillologist cred coloring book taxidermy actually.
Banjo narwhal la croix portland green juice lumbersexual biodiesel kombucha vegan umami aesthetic trust fund ramps. Art party +1 celiac everyday carry succulents seitan franzen distillery venmo keytar cray mustache gastropub. 8-bit seitan banh mi, vice chillwave viral synth vinyl +1. Mixtape mustache pitchfork, meh tacos kitsch offal pop-up intelligentsia VHS air plant pork belly. Thundercats microdosing taxidermy try-hard +1 ennui photo booth 8-bit.
Always pass test policy
Name: Test:Pass
[View Source]
Package: drutiny/content
Class: \Drutiny\Audit\AlwaysPass
This policy should always pass. Twee godard poutine knausgaard, street art keytar readymade unicorn wayfarers vape mumblecore blue bottle. Portland pitchfork air plant kale chips, craft beer meditation tumeric seitan umami vexillologist cred coloring book taxidermy actually.
Banjo narwhal la croix portland green juice lumbersexual biodiesel kombucha vegan umami aesthetic trust fund ramps. Art party +1 celiac everyday carry succulents seitan franzen distillery venmo keytar cray mustache gastropub. 8-bit seitan banh mi, vice chillwave viral synth vinyl +1. Mixtape mustache pitchfork, meh tacos kitsch offal pop-up intelligentsia VHS air plant pork belly. Thundercats microdosing taxidermy try-hard +1 ennui photo booth 8-bit.
Always pass dependant test policy
Name: Test:PassDependant
[View Source]
Package: drutiny/content
Class: \Drutiny\Audit\AlwaysPass
This policy should always pass. Twee godard poutine knausgaard, street art keytar readymade unicorn wayfarers vape mumblecore blue bottle. Portland pitchfork air plant kale chips, craft beer meditation tumeric seitan umami vexillologist cred coloring book taxidermy actually.
Banjo narwhal la croix portland green juice lumbersexual biodiesel kombucha vegan umami aesthetic trust fund ramps. Art party +1 celiac everyday carry succulents seitan franzen distillery venmo keytar cray mustache gastropub. 8-bit seitan banh mi, vice chillwave viral synth vinyl +1. Mixtape mustache pitchfork, meh tacos kitsch offal pop-up intelligentsia VHS air plant pork belly. Thundercats microdosing taxidermy try-hard +1 ennui photo booth 8-bit.
Always warn test policy
Name: Test:Warning
[View Source]
Package: drutiny/content
Class: \Drutiny\Audit\AlwaysWarn
This policy should always issue a warning. Twee godard poutine knausgaard, keytar readymade unicorn wayfarers vape mumblecore blue bottle. Portland pitchfork air plant kale chips, craft beer meditation tumeric seitan umami vexillologist cred coloring book taxidermy actually.
Banjo narwhal la croix portland green juice lumbersexual biodiesel kombucha vegan umami aesthetic trust fund ramps. Art party +1 celiac everyday carry succulents seitan franzen distillery venmo keytar cray mustache gastropub. 8-bit seitan banh mi, vice chillwave viral synth vinyl +1. Mixtape mustache pitchfork, meh tacos kitsch offal pop-up intelligentsia VHS air plant pork belly. Thundercats microdosing taxidermy try-hard +1 ennui photo booth 8-bit.
Cloudflare always use HTTPS
Name: cloudflare:always_use_https
[View Source]
Package: drutiny/content
Class: \Drutiny\Cloudflare\Audit\PageRuleMatch
To ensure all traffic to is secured over an SSL connection, Cloudflare comes with a feature to force any insecure traffic to redirect to a secure connection before a connection to the origin location is attempted. This ensures all traffic to is secured between the browser and Cloudflare.
Parameters
Name | Type | Description | Default |
---|---|---|---|
rule | string | The page rule pattern to look up. | 'http://:host/*' |
settings | array | A keyed list of actions the page rule should action. | always_use_https: true |
Cloudflare Caching
Name: cloudflare:caching
[View Source]
Package: drutiny/content
Class: Drutiny\Cloudflare\Audit\AnalyticsAnalysis
Cloudflare CDN caches your website at different PoPs in closer geographic proximity to your visitors than your website is. These graphs show the amount of traffic handled by Cloudflare's CDN caching globally, offloading traffic from your origin web property.
Parameters
Name | Type | Description | Default |
---|---|---|---|
expression | string | An expression to evaluate to determine the outcome of the audit | true |
Cloudflare Content
Name: cloudflare:content
[View Source]
Package: drutiny/content
Class: Drutiny\Cloudflare\Audit\AnalyticsAnalysis
The graphs below provide insight into the type of content requested for through Cloudflare over the HTTP protocol (both encrypted or unencrypted).
Parameters
Name | Type | Description | Default |
---|---|---|---|
expression | string | An expression to evaluate to determine the outcome of the audit | true |
#2819197 - Cloudflare workaround for Drupal 8 urlGenerator
Name: cloudflare:drupal-urlGenerator-workaround
[View Source]
Package: drutiny/content
Class: \Drutiny\Cloudflare\Audit\PageRuleAnalysis
By accessing a site an an unexpected base path (e.g. with index.php) a site may cache links in a way that could be considered a minor site defacement and possibly lead to a duplicate content SEO penalty too. It can also impact caching strategy.
Parameters
Name | Type | Description | Default |
---|---|---|---|
rule | string | The page rule pattern to look up. | 'https://:host/index.php/*' |
expression | string | An ExpressionLanguage expression to evaluate the outcome of a page rule. | 'array_key_exists(''forwarding_url'', settings) and (settings[''forwarding_url''][''status_code''] == 301)' |
Cloudflare Encryption
Name: cloudflare:encryption
[View Source]
Package: drutiny/content
Class: Drutiny\Cloudflare\Audit\AnalyticsAnalysis
Cloudflare offers the ability to offload SSL traffic for your entire zone. These graphs show the amount of traffic encrypted between Cloudflare are visitors.
Parameters
Name | Type | Description | Default |
---|---|---|---|
expression | string | An expression to evaluate to determine the outcome of the audit | true |
Cloudflare HTTP Status Codes
Name: cloudflare:http_status
[View Source]
Package: drutiny/content
Class: Drutiny\Cloudflare\Audit\AnalyticsAnalysis
The graphs below provide insight into the traffic levels by HTTP status codes.
Parameters
Name | Type | Description | Default |
---|---|---|---|
expression | string | An expression to evaluate to determine the outcome of the audit | true |
Cloudflare redirect Apex to primary domain
Name: cloudflare:redirect_apex
[View Source]
Package: drutiny/content
Class: \Drutiny\Cloudflare\Audit\PageRuleMatch
If is the primary site under the domain then you may want all traffic to https:/// to be redirected to https:///. This ensures all traffic to both and are routed through a common domain and makes management of Cloudflare Page Rules easier to administer. This reduces the likelihood of strange behaviour due to Page Rules.
Parameters
Name | Type | Description | Default |
---|---|---|---|
rule | string | The page rule pattern to look up. | 'https://:zone/*' |
settings | array | A keyed list of actions the page rule should action. | forwarding_url: url: 'https://:host/$1' status_code: 301 |
Cloudflare Threat Management
Name: cloudflare:threats
[View Source]
Package: drutiny/content
Class: Drutiny\Cloudflare\Audit\AnalyticsAnalysis
Threats are requests Cloudflare identifies as malicious and blocks according to the configuration of the WAF. For more information on the types of threats see the knowledge base article on threat types.
Parameters
Name | Type | Description | Default |
---|---|---|---|
expression | string | An expression to evaluate to determine the outcome of the audit | true |
Drupal Theme Directory Size
Name: fs:DrupalThemeDirectory
[View Source]
Package: drutiny/content
Class: Drutiny\Audit\Filesystem\FsSize
Large theme directories can be indicative of best practice violations: * Source files in site artifact. e.g. node_modules * Media assets unsuitable for web delivery
Parameters
Name | Type | Description | Default |
---|---|---|---|
max_size | integer | The maximum size in MegaBytes a directory should be. | 50 |
path | string | The path of the directory to check for size. | '%root/%themes' |
Sensitive public files
Name: fs:SensitivePublicFiles
[View Source]
Package: drutiny/content
Class: Drutiny\Audit\Filesystem\SensitivePublicFiles
Certain file extensions should never be in public files for security reasons.
Parameters
Name | Type | Description | Default |
---|---|---|---|
extensions | string | The sensitive file extensions to look for. | 'php,sh,py,sql,bz2,gz,tar,tgz,zip' |
Large public files
Name: fs:largeFiles
[View Source]
Package: drutiny/content
Class: Drutiny\Audit\Filesystem\LargeFiles
Large static assets should ideally be housed in other services, e.g. Amazon S3 (for files) or Youtube (for videos).
Parameters
Name | Type | Description | Default |
---|---|---|---|
max_size | integer | Report files larger than this value measured in megabytes. | 50 |