README

What This Recipe Does

This recipe installs a practical baseline of Drupal hardening modules and imports security-focused configuration defaults.

Package

• Composer package: drupal/security_setup_recipe
• Recipe manifest: recipe.yml

Included Behavior

• HTTP security headers via SecKit
• Brute-force mitigation via Login Security
• Idle session handling via Autologout
• Password policy baseline
• Flood control and ban support
• Paranoia module for admin UI hardening

Requirements

• Drupal 10.3 or 11
• Security modules listed in composer.json

Install

composer require drupal/security_setup_recipe

Apply

drush recipe security_setup

Post-Apply Steps

1. Rebuild caches.

drush cr

1. Validate CSP reports and move from report-only to enforcement when ready.
2. Enable HSTS only in HTTPS environments.
3. Apply environment-specific overrides for autologout/session rules if needed.

Known Limitations

• Security posture still requires environment-specific hardening and policy tuning.
• HSTS and strict CSP enforcement should be enabled only after validation in your deployment context.

Maintenance

• HSTS is intentionally not forced in base config.
• The recipe is safe to re-apply because strict is set to false.