Blogs

This post we'll be talking about Cross Site Scripting or XSS and what steps to take to prevent this type of security breach on your Drupal site. Without going into the gory details, XSS allows a malicious user to insert a script into one of your web pages, that can be used to steal other user's identities, craft phishing attacks, and bypass access controls. For more detailed examples of XSS attacks see: http://ha.ckers.org/xss.html.

This will be a multipart series on Drupal security.

The first rule of security on a Drupal site, or any site for that matter, is: "never trust user input." User input can be used to gain access to your database (SQL injection), steal other user's session cookies and impersonate them (Cross-Site Scripting or XSS), inject unwanted spam into your pages, or to execute code (gasp shudder) on your server.

To make your code safer to run on servers with high load conditions, you should prioritize its functionality into two categories: mission critical and non-critical. The Throttle module allows you to test the current server load conditions using the following code snippet:

This way you can lessen the server's burden when traffic spikes, conserving valuable resources for your customers.