Community Documentation

Secure communications

Last updated October 30, 2010. Created by ilo on October 7, 2009.
Edited by mfb, rfay. Log in to edit this page.

Drupal depends on the webserver to secure communications channels. The following modules may help or force the usage of this channel even if the Drupal site is not able to serve secure HTTP requests (if the server is not not SSL secured) . For this to work, the web server should be listening and able to respond using the secure channel over the standard HTTPS port. Other modules provide Client Side encryption facilities for web browsing, or cyphering support for the Drupal email system. Some of the modules listed here provide the same functionality.

  • Client Side Encryption: The Client Side Encryption (CSE) module is developed to provide a means of encrypting and decrypting sensitive information (such as computer IPs, non-public email addresses etc.) completely within the web browser. This means neither the network nor any server php code gets to see any plain text content that it shouldn't.
  • OpenPGP: This module provides encryption for Drupal's outgoing e-mails using GNU Privacy Guard, an open-source implementation of the OpenPGP standard.
  • Secure By Role Secure by Role is a simple Drupal module for shopping sites and others where security is important. When a page is requested, SecRole checks to see if the user is a member of a list of roles which should be only served pages over a secure connection (HTTPS). If this is the case, and the connection is not already secure, the user is redirected to the page they are requesting over a secure connection.
  • Secure Pages This module will redirect the required pages to a SSL version of the page, so you can be sure the user is running on a secure page when they are creating/editing content, viewing user details, or administering the site. Make sure that your web server has SSL enabled and you Drupal installation has been configured to support SSL access. This module has a helper module called Secure pages prevent hijack that will prevent hijacked sessions from accessing SSL pages, yet still allow users to stay logged in when browsing non-SSL pages. Another additional module called Secure pages auto-disable by url provides a way to automatically disable the securepages module for domains/subdomains/dev-environments where this feature should not be active.
  • Secure Login is a more lightweight module that ensures forms such as the user login form are submitted to the SSL site. Once a user has logged in securely, a secure-only authenticated session will be enforced automatically by Drupal 7. In Drupal 6, a secure-only authenticated session can be enforced by enabling the session.cookie_secure PHP configuration on the HTTPS site (in Apache configuration or settings.php).
Login or register to post comments

Looking for support? Visit the Drupal.org forums, or join #drupal-support in IRC.

About this page

Audience
Site administrators

Administration & Security Guide

Drupal’s online documentation is © 2000-2013 by the individual contributors and can be used in accordance with the Creative Commons License, Attribution-ShareAlike 2.0. PHP code is distributed under the GNU General Public License. Comments on documentation pages are used to improve content and then deleted.