Skip to content

Drupal security warnings#

You might get one or more of the following Drupal security warnings:

The directory sites/default is not protected from modifications and poses a security risk

The file sites/default/settings.php is not protected from modifications and poses a security risk. You must change the file’s permissions to be non-writable

The file sites/default/services.yml is not protected from modifications and poses a security risk. You must change the file’s permissions to be non-writable
These Drupal security warnings are "False Positive", as the standard Drupal nginx config has protection against accessing:

  • YAML files (see here)
  • PHP files (see here)

If you want to remove the alert, you can add at the end of the Dockerfile for cli service, the following statement:

1
2
3
4
5
RUN chmod 644 /app/web/sites/default/settings.php \
&& chmod 644 /app/web/sites/default/*.settings.php \
&& chmod 644 /app/web/sites/default/services.yml \
&& chmod 644 /app/web/sites/default/*.services.yml \
&& chmod 555 /app/web/sites/default/

If you have further questions regarding this topic contact support.