Check status and protect

Last updated on
15 April 2025

Check status

After installation, check the status of your site at Administration > Reports > Status report (/admin/reports/status). If this page reports any problems, then resolve them.

Protect against header spoofing

Add trusted hosts

The default installation settings.php doesn't specify which hosts to trust. So to protect against header spoofing, follow the instructions below. For an explanation of why this setting matters, see Trusted Host settings. The default may change in the future because there is an issue to change this: Allow trusted hosts to be configured with the installer.

Unlock settings.php

Make sure settings.php is writable. The installation script tries to make settings.php read-only. On UNIX-like systems with shell access, you can change this with:

chmod u+w sites/default/settings.php

If you only have (S)FTP access to the server, then you should be able to use it to change permissions, or edit the file locally and then upload it.

Edit settings.php

Search for the "Trusted host configuration" section in settings.php and read the comments there. Add lines (there or elsewhere in the file) listing the allowed patterns for the host name. For example, if your site is at www.example.com, you could add:

$settings['trusted_host_patterns'] = [
 '^www\.example\.com$',
];

The entries in this array are regular expressions, so the . must be escaped, and the ^ and $ characters mark the start and end of the string being matched.

If you want to allow any subdomain of example.com, you can use the regular expression \.example\.com$ or (^|\.)example\.com$: the second matches example.com as well as subdomains. If you want to allow both example.com and www\.example\.com, you can either use the regular expression ^(www\.)?example\.com$ or list two patterns:

$settings['trusted_host_patterns'] = [
 '^www\.example\.com',
 '^example\.com$',
];

Lock settings.php

If you made settings.php writable in an earlier step, then set it back to read-only:

chmod a-w sites/default/settings.php

Check or create files directory

In most cases, the installation script creates the files directory for you. If Drupal can't create the directory (which most probably is due to lack of required permissions), then follow the instructions below.

In the directory sites/default create a new subdirectory called files/. Grant read, write and execute permissions on the new directory to the web server (usually apache or nginx). Most FTP programs will allow you to create the new directory and set its permissions.

Troubleshoot Apache-based web servers

If the directory files is not "owned" by the webserver there are two ways to proceed. These instructions assume you have shell access to the server and that you are using apache as the webserver. If you do not have shell access, then you should be able to change the directory permissions using an FTP program.

On a Unix-like server you can verify "who" the webserver is running as by issuing the following commands.

For Apache 2.x:

$ ps aux | grep apache

For Apache 1.x:

$ ps aux | grep httpd 

Depending on your web server, one of these commands will return a series of lines like this:

www-data 13612 0.1 0.9 50640 20340 ? S 12:29 0:08 /usr/sbin/apache2 -k start 

The first column is the "user" that your web server is operating as. In this case the user is www-data. To make your files directory writeable by the webserver you can change its ownership using the command:

$ chown -R www-data sites/default/files

If you do not have sufficient permissions on your server to change the ownership of the folder, the next best option is to provide group-write access to the folder with the following command:

$ chmod -R 0770 sites/default/files 

Help improve this page

Page status: No known problems

You can: