Check status and protect
Check status
After installation, check the status of your site at Administration > Reports > Status report (/admin/reports/status). If this page reports any problems, then resolve them.
Protect against header spoofing
Add trusted hosts
The default installation settings.php doesn't specify which hosts to trust. So to protect against header spoofing, follow the instructions below. For an explanation of why this setting matters, see Trusted Host settings. The default may change in the future because there is an issue to change this: Allow trusted hosts to be configured with the installer.
Unlock settings.php
Make sure settings.php is writable. The installation script tries to make settings.php read-only. On UNIX-like systems with shell access, you can change this with:
chmod u+w sites/default/settings.phpIf you only have (S)FTP access to the server, then you should be able to use it to change permissions, or edit the file locally and then upload it.
Edit settings.php
Search for the "Trusted host configuration" section in settings.php and read the comments there. Add lines (there or elsewhere in the file) listing the allowed patterns for the host name. For example, if your site is at www.example.com, you could add:
$settings['trusted_host_patterns'] = [
'^www\.example\.com$',
];The entries in this array are regular expressions, so the . must be escaped, and the ^ and $ characters mark the start and end of the string being matched.
If you want to allow any subdomain of example.com, you can use the regular expression \.example\.com$ or (^|\.)example\.com$: the second matches example.com as well as subdomains. If you want to allow both example.com and www\.example\.com, you can either use the regular expression ^(www\.)?example\.com$ or list two patterns:
$settings['trusted_host_patterns'] = [
'^www\.example\.com',
'^example\.com$',
];Lock settings.php
If you made settings.php writable in an earlier step, then set it back to read-only:
chmod a-w sites/default/settings.phpCheck or create files directory
In most cases, the installation script creates the files directory for you. If Drupal can't create the directory (which most probably is due to lack of required permissions), then follow the instructions below.
In the directory sites/default create a new subdirectory called files/. Grant read, write and execute permissions on the new directory to the web server (usually apache or nginx). Most FTP programs will allow you to create the new directory and set its permissions.
Troubleshoot Apache-based web servers
If the directory files is not "owned" by the webserver there are two ways to proceed. These instructions assume you have shell access to the server and that you are using apache as the webserver. If you do not have shell access, then you should be able to change the directory permissions using an FTP program.
On a Unix-like server you can verify "who" the webserver is running as by issuing the following commands.
For Apache 2.x:
$ ps aux | grep apacheFor Apache 1.x:
$ ps aux | grep httpd Depending on your web server, one of these commands will return a series of lines like this:
www-data 13612 0.1 0.9 50640 20340 ? S 12:29 0:08 /usr/sbin/apache2 -k start The first column is the "user" that your web server is operating as. In this case the user is www-data. To make your files directory writeable by the webserver you can change its ownership using the command:
$ chown -R www-data sites/default/filesIf you do not have sufficient permissions on your server to change the ownership of the folder, the next best option is to provide group-write access to the folder with the following command:
$ chmod -R 0770 sites/default/files Help improve this page
You can:
- Log in, click Edit, and edit this page
- Log in, click Discuss, update the Page status value, and suggest an improvement
- Log in and create a Documentation issue with your suggestion