search

localgovdrupal / docs

Documentation for all projects around LocalGovDrupal.
https://trusting-noyce-aebebc.netlify.app/
GNU General Public License v2.0
6 stars 15 forks source link

Add security best practices document #175

Closed jmorahan closed 1 year ago

jmorahan commented 1 year ago

Here's the document with our recommended best practices from the pen test, converted to markdown.

netlify[bot] commented 1 year ago

Deploy Preview for inspiring-euclid-d918c8 ready!

Name Link
Latest commit 4c19d1aa9cb0c28ddd73c294b02db37a356b516e
Latest deploy log https://app.netlify.com/sites/inspiring-euclid-d918c8/deploys/643d4fb3784ffe00083283e8
Deploy Preview https://deploy-preview-175--inspiring-euclid-d918c8.netlify.app
Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site settings.

stephen-cox commented 1 year ago

Thanks @jmorahan Looks good in preview: https://deploy-preview-175--inspiring-euclid-d918c8.netlify.app/devs/security-best-practices.html

We will have to decide where it sites in the menus, but perhaps we'll merge and then create a new PR for this. Will discuss at Merge Monday.

willguv commented 1 year ago

Thanks @jmorahan for doing this work and the PR - it's invaluable info

finnlewis commented 1 year ago

Ditto, thanks @jmorahan, the info and recommendations are great!

We were discussing the audience for security recommendations like this in Merge Monday briefly when exploring where this might sit in the documentation menu. Currently we have some top level navigation based on role: developer, designer, content designer etc. Seems to me to sit under developer most logically, but it also is quite different in style to the other pages in that section. We also noted we might have too many top level sections and wondered if @msayoung had thoughts on this already.

Then we noted that we are missing a whole section on best-practices for hosting, deployment, devops etc. and that this would be a logical extension to that: hardening up your live site. So maybe we want a new section under developers for deployment, performance and security best practice?

The other thing that occurs to me is that maybe there are other modules that could be recommended alongside this, like https://www.drupal.org/project/seckit, https://www.drupal.org/project/csp.

(@andybroomfield which security modules did you end up using on your site?)

Let's discuss at the Tech Group governance meeting this week. 4pm Wednesday (happy to invite any interested parties, ping me on Slack).

msayoung commented 1 year ago

This is great, thanks @jmorahan

I suggest we add it under Developers / Best practices We can add other best practices as we find them