Clickjacking is not considered a weakness in core

A vulnerability known as Clickjacking requires a malicious user to target authenticated users of a site to trick them into taking actions they do not intend by placing the target site into an iframe. Drupal core does not have any protection against Clickjacking attacks. Drupal sites often need to be placed into iframes so it doesn't make sense for core to take a particular stance on this issue.

Security Issue Release process


When picking a Wednesday for a release date, be sure to consider major holidays or times when people are unlikely to be working. Example holidays which can conflict with a Wednesday:

  • Drupalcons
  • Thanksgiving in the USA (fourth Thursday in November).
  • December (Christmas/Hanukkah)
  • The end/beginning of the Gregorian year in general (i.e. around new years)

Place, date and time

For Drupal security team members only, we coordinate in irc:

Security Team Structure and responsibilities

To accomplish their goals, the Security Team has been organized into the following roles:

Security Team Lead

The security team lead is the point person for the team, is responsible for ensuring the security team has the tools and resources necessary to function smoothly, and for pushing debates toward a decision and sometimes making decisions when consensus doesn't arise.


The Antivirus module provides a generic framework for processing files and detecting viruses or other file characteristics.

Information disclosure in error messages not a weakness (Path disclosure, SQL error messages, etc.)

Drupal core provides a feature to show error messages to site visitors. By default this feature is enabled which is very helpful while building a site because the visitor can quickly see the error messages.

Once a site has entered "production" mode this feature should be disabled to avoid information disclosure such as the full filesystem path on the server or the structure of tables in a SQL error message.

Ensure that your site is secure

The Drupal security guide has a section on securing your site with a useful list of items to work through.

The Security Review module provides an automated review of possible security problems:


Subscribe with RSS Subscribe to RSS - security