Redirect endpoints that should not be public

User Story:

As an anonymous user, I do not want to be able to access insecure Drupal related endpoints so I can not see sensitive information.

Acceptance Criteria:

(i) Scenario 1: Redirect endpoints Given that I have access past the firewall When I go to the below mentioned urls Then I will be redirected to /system/403

  • /rss.xml

  • /node

  • /taxonomy/term/%/feed

  • /taxonomy/term/%

  • /rest/session/token

  • /session/token

  • /machine_name/transliterate

  • /filter/tips/plain_text

  • /filter/tips

Implementation Details

For /rss.xml, /node, /taxonomy/term/%/feed, and /taxonomy/term/% () unpublish the front page view - update views.view.frontpage configuration () unpublish taxonomy Taxonomy term view - update configuration

For - /rest/session/token, /session/token, /machine_name/transliterate, /filter/tips/plain_text, /filter/tips () Create a custom module: CUSTOM_MOUDLE_security. () Find the route name or use paths. Either search code base or locally enable the web profiler module. Use the web profiler dev toolbar to find route name.

() Programmatically redirect the above mentioned urls to the 403 page. () Register the Event Subscriber by creating a CUSTOM_MODULE_security.services.yml file

services: CUSTOM_MODULE_security.subscriber: class: Drupal\CUSTOM_MODULE\EventSubscriber\CUSTOMMODULESecuritySubscriber tags: - { name: event_subscriber }

() Create redirects in CUSTOM_MODULE_security module by using the EventSubscriber () Check if the user role is anonymous if (\Drupal::currentUser()->isAnonymous())

() loop through each Route Name and set the new response $response = new RedirectResponse('/403', 301); $event->setResponse($response);

behat tests () Write a behat test to confirm all urls redirect to the 403 page.

Testing Steps

As an anonymous user, when visiting the below mentioned URLS then they will redirect to /system/403

  • /rss.xml

  • /node

  • /taxonomy/term/%/feed (% is placeholder to taxonomy id)

  • /taxonomy/term/%

  • /rest/session/token

  • /session/token

  • /machine_name/transliterate

  • /filter/tips/plain_text

  • /filter/tips

  • rest/session/token( only if REST module is enabled.)

PreviousComposer UpdatesNextBug Template

Last updated

Was this helpful?