#595: Add az_security with strict-transport-security and referrer-pol…

…icy disabled. (#1105)

az_quickstart.info.yml

@@ -24,6 +24,7 @@ install:
   - az_news
   - az_person
   - az_event
+  - az_security
   - az_seo
   - az_google_tag
   - drupal:node

az_quickstart.profile

@@ -73,3 +73,11 @@ function az_quickstart_update_9206() {
       ->save(TRUE);
   }
 }
+
+/**
+ * Enable the az_security module.
+ */
+function az_quickstart_update_9207() {
+  $module_list = ['az_security'];
+  \Drupal::service('module_installer')->install($module_list);
+}

composer.json

@@ -62,6 +62,7 @@
         "drupal/field_group": "3.2.0",
         "drupal/field_group_link": "3.0-rc2",
         "drupal/google_tag": "1.4",
+        "drupal/honeypot": "2.0.1",
         "drupal/image_widget_crop": "2.3",
         "drupal/jquery_ui": "1.4",
         "drupal/jquery_ui_datepicker": "1.1",

config/install/user.role.authenticated.yml

@@ -14,6 +14,7 @@ permissions:
   - 'access_unpublished node az_flexible_page'
   - 'access_unpublished node az_news'
   - 'access_unpublished node az_person'
+  - 'bypass honeypot protection'
   - 'post comments'
   - 'search content'
   - 'skip comment approval'

modules/custom/az_security/az_security.info.yml

@@ -0,0 +1,8 @@
+name: Quickstart Security
+type: module
+description: Provides hardened config for Quickstart sites.
+core_version_requirement: ^8.8 || ^9
+package: The University of Arizona
+dependencies:
+  - az_core
+  - honeypot:honeypot

modules/custom/az_security/config/quickstart/honeypot.settings.yml

@@ -0,0 +1,16 @@
+unprotected_forms:
+  - user_login_form
+  - search_form
+  - search_block_form
+  - views_exposed_form
+  - honeypot_settings_form
+protect_all_forms: true
+log: false
+element_name: url
+time_limit: 5
+expire: 600
+form_settings:
+  user_register_form: false
+  user_pass: false
+  feedback_contact_message_form: false
+  _contact_message_form: false