Security Hardening Your Site

Every template includes:

• SecKit — Content Security Policy headers, XSS protection, clickjacking prevention
• Honeypot — Anti-spam protection on all forms
• Config Split — Environment-specific configuration (dev vs. production)
• HSTS headers — Enforces HTTPS connections

Templates include a curated Content Editor role with minimal permissions. Editors can create and edit content but cannot access site configuration, install modules, or manage users. Only administrators have full access.

Run composer outdated drupal/* regularly to check for updates. Apply security patches immediately:

composer update drupal/core-recommended --with-dependencies

For production sites, also consider:

• Two-factor authentication for admin accounts
• Regular automated backups
• Web Application Firewall (Cloudflare, AWS WAF)
• Regular vulnerability scanning