I would like us to have a dedicated "Security" admin page and a respective Admin menu item in order to:

  • show that we take security seriously
  • allow site admins to perform security-related tasks in one single place
  • provide a "home" for security-related contrib modules

Ideas for this page include:

  • settings for blocking users (failed login attempts, bots etc.) - #1878
  • provide a default security.txt file ((https://www.drupal.org/project/securitytxt)), and an easy way to edit that info via the UI. The default, out of the box text should point to contact details for reporting security issues in b.org, but site owners should be able to change that if required by their organization (same as we allow them to edit the maintenance mode message)
  • settings for protecting forms from spam (expose honeypot settings etc.) - #1169
  • settings for the trusted_host_patterns variable - #2568
  • settings for the x_frame_options variable - #4080
  • checkbox to ignore outdated php warning - #3490
  • link to our https://backdropcms.org/security page
  • database (SSL) connection status - #4945
  • enable/disable FLoC - #5103
  • a setting to enable better security/privacy on login/password reset forms - #4696
  • a setting to use 404s instead of 403s when trying to access user pages without the proper permission #5802

Other ideas: - A "Security overview" block for the dashboard (#495) - https://www.drupal.org/project/security_review - https://backdropcms.org/project/remove_generator (only 3 lines of code really) - any settings that may be required for #3270 - warning when anonymous users can create accounts (#574) - expose the image_style_flood_limit setting introduced in https://github.com/backdrop/backdrop-issues/issues/34 / https://github.com/backdrop/backdrop/pull/635 - ???

GitHub Issue #: