diff --git a/README.md b/README.md
index c6045f3..805e999 100644
--- a/README.md
+++ b/README.md
@@ -13,7 +13,8 @@ Online nginx configuration generator.
 * redirect subdomains
 * IPv4, IPv6
 * PHP (TCP, 5.x FPM, 7.0 FPM, 7.1 FPM, 7.2 FPM, 7.3 FPM)
-* WordPress security essentials (*including [CVE-2018-6389](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6389)*)
+* WordPress security essentials
+* Drupal security essentials
 * pass requests to index.php
 	* *[Laravel](https://laravel.com/docs/master/deployment#nginx)*
 	* *[Lumen](https://lumen.laravel.com/docs/5.1/installation#configuration)*
diff --git a/public/assets/img/brands/drupal.svg b/public/assets/img/brands/drupal.svg
new file mode 100644
index 0000000..7a40bea
--- /dev/null
+++ b/public/assets/img/brands/drupal.svg
@@ -0,0 +1 @@
+<svg aria-labelledby="simpleicons-drupal-icon" role="img" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><title id="simpleicons-drupal-icon">Drupal icon</title><path d="M20.45 3.552C18.258 1.257 15.233.006 12 .006 5.431.006.007 5.428.007 12S5.43 23.994 12 23.994 23.995 18.572 23.995 12c0-3.233-1.251-6.258-3.546-8.448zM12 19.822c-3.65 0-6.57-2.92-6.57-6.57 0-3.025 2.085-5.111 3.858-6.884 1.252-1.252 2.4-2.4 2.712-3.755.313 1.252 1.46 2.399 2.712 3.65 1.773 1.774 3.859 3.86 3.859 6.884 0 3.65-2.92 6.571-6.571 6.675z"/></svg>
\ No newline at end of file
diff --git a/public/assets/js/app.js b/public/assets/js/app.js
index 094fe74..e4c1585 100644
--- a/public/assets/js/app.js
+++ b/public/assets/js/app.js
@@ -61,6 +61,7 @@
 
 			php:				'7.2',
 			wordpress:			false,
+			drupal:				false,
 
 			file_structure:		'unified',
 
@@ -278,6 +279,7 @@
 		$scope.setPreset = function(preset) {
 			$scope.data.php				= $scope.defaultData.php;
 			$scope.data.wordpress		= $scope.defaultData.wordpress;
+			$scope.data.drupal			= $scope.defaultData.drupal;
 			$scope.data.index			= $scope.defaultData.index;
 			$scope.data.fallback_html	= $scope.defaultData.fallback_html;
 
@@ -294,6 +296,9 @@
 				case 'wordpress':
 					$scope.data.wordpress = true;
 					break;
+				case 'drupal':
+					$scope.data.drupal = true;
+					break;
 			}
 
 			gtag('event', preset, {
@@ -394,6 +399,10 @@
 			return $scope.isPHP() && $scope.data.wordpress;
 		};
 
+		$scope.isDrupal= function() {
+			return $scope.isPHP() && $scope.data.drupal;
+		};
+
 		$scope.isCSP = function() {
 			return !!$scope.data.content_security_policy;
 		};
diff --git a/public/index.html b/public/index.html
index 27783c3..49dffd9 100644
--- a/public/index.html
+++ b/public/index.html
@@ -8,9 +8,9 @@
 		<link rel="icon" type="image/png" href="assets/img/favicon.png">
 		<title>nginxconfig.io</title>
 		<meta name="description" content="Online nginx configuration generator">
-		<meta name="keywords" content="nginx, config, configurator, /etc/nginx/nginx.conf, nginx performance, nginx tuning, nginx php, nginx, php fpm, wordpress, Let's Encrypt, custom certificate, cdn, access_log, error_log, Laravel, Lumen, Symfony, Zend, CodeIgniter, Yii, CakePHP, Slim, Angular, React, Vue.js, Ember.js">
+		<meta name="keywords" content="nginx, config, configurator, /etc/nginx/nginx.conf, nginx performance, nginx tuning, nginx php, nginx, php fpm, wordpress, drupal, Let's Encrypt, custom certificate, cdn, access_log, error_log, Laravel, Lumen, Symfony, Zend, CodeIgniter, Yii, CakePHP, Slim, Angular, React, Vue.js, Ember.js">
 		<meta property="og:title" content="nginxconfig.io">
-		<meta property="og:description" content="Online nginx configuration generator: HTTPS, HTTP2, CDN, PHP (Laravel, Symfony, CodeIgniter…), Frontend (Angular, React, Vue.js…), WordPress, security headers, rate limiting, expiration by file types…">
+		<meta property="og:description" content="Online nginx configuration generator: HTTPS, HTTP2, CDN, PHP (Laravel, Symfony, CodeIgniter…), Frontend (Angular, React, Vue.js…), WordPress, Drupal, security headers, rate limiting, expiration by file types…">
 		<meta property="og:type" content="website">
 		<meta property="og:url" content="https://nginxconfig.io">
 		<meta property="og:image" content="https://nginxconfig.io/assets/img/share.png">
@@ -25,7 +25,8 @@
 			<button type="button" class="btn btn-sm btn-outline-dark" ng-click="setPreset('frontend')" tooltips tooltip-template="• disabled PHP<br>• index.html fallback routing" tooltip-side="bottom">Frontend <img src="assets/img/brands/angular.svg" alt="Angular"> <img src="assets/img/brands/react.svg" alt="React"> <img src="assets/img/brands/vuejs.svg" alt="Vue.js"></button>
 			<button type="button" class="btn btn-sm btn-outline-dark" ng-click="setPreset('backend')" tooltips tooltip-template="• enabled PHP<br>• index.php fallback routing" tooltip-side="bottom">Backend <img src="assets/img/brands/php.svg" alt="PHP"> <img src="assets/img/brands/laravel.svg" alt="Laravel"> <img src="assets/img/brands/symfony.svg" alt="Symfony"> <img src="assets/img/brands/codeigniter.svg" alt="CodeIgniter"></button>
 			<button type="button" class="btn btn-sm btn-outline-dark" ng-click="setPreset('spa')" tooltips tooltip-template="• enabled PHP<br>• index.html fallback routing<br>• index.php API routing" tooltip-side="bottom">Single-page application</button>
-			<button type="button" class="btn btn-sm btn-outline-dark" ng-click="setPreset('wordpress')" tooltips tooltip-template="• enabled PHP<br>• index.php fallback routing<br>• WordPress security rules" tooltip-side="bottom">WordPress <img src="assets/img/brands/wordpress.svg" alt="WordPress"></button>
+			<button type="button" class="btn btn-sm btn-outline-dark" ng-click="setPreset('wordpress')" tooltips tooltip-template="• enabled PHP<br>• index.php fallback routing<br>• WordPress security rules" tooltip-side="bottom"><img src="assets/img/brands/wordpress.svg" alt="WordPress"> WordPress</button>
+			<button type="button" class="btn btn-sm btn-outline-dark" ng-click="setPreset('drupal')" tooltips tooltip-template="• enabled PHP<br>• index.php fallback routing<br>• Drupal security rules" tooltip-side="bottom"><img src="assets/img/brands/drupal.svg" alt="Drupal"> Drupal</button>
 		</section>
 		<div class="container-fluid">
 			<div class="row">
@@ -252,7 +253,15 @@
 									<div class="form-check" ng-class="{ 'input-changed': data.wordpress !== defaultData.wordpress }">
 										<input class="form-check-input" type="checkbox" id="wordpress" ng-model="data.wordpress">
 										<label class="form-check-label" for="wordpress">
-											<span tooltips tooltip-template="WordPress security rules and login limiting <i>(if enabled)</i>.">WordPress</span>
+											<span tooltips tooltip-template="WordPress security rules and login limiting <i>(if enabled)</i>.">WordPress rules</span>
+										</label>
+									</div>
+								</div>
+								<div class="form-subgroup" ng-if="isPHP()" ng-cloak>
+									<div class="form-check" ng-class="{ 'input-changed': data.drupal !== defaultData.drupal }">
+										<input class="form-check-input" type="checkbox" id="drupal" ng-model="data.drupal">
+										<label class="form-check-label" for="drupal">
+											<span tooltips tooltip-template="Drupal security rules and login limiting <i>(if enabled)</i>.">Drupal rules</span>
 										</label>
 									</div>
 								</div>
@@ -267,7 +276,7 @@
 										<label class="form-check-label" for="index.html">index.html</label>
 									</div>
 								</div>
-								<div class="form-subgroup" ng-if="isPHP()">
+								<div class="form-subgroup" ng-if="isPHP()" ng-cloak>
 									<div class="form-check" ng-class="{ 'input-changed': data.index !== defaultData.index && data.index === 'index.php' }">
 										<input class="form-check-input" type="radio" id="index.php" ng-model="data.index" value="index.php">
 										<label class="form-check-label" for="index.php">index.php</label>
@@ -280,13 +289,16 @@
 										<input class="form-check-input" type="checkbox" id="fallback_html" ng-model="data.fallback_html">
 										<label class="form-check-label" for="fallback_html">index.html</label>
 									</div>
-									<div class="form-check" ng-if="isPHP()" ng-class="{ 'input-changed': data.fallback_php !== defaultData.fallback_php }">
+									<div class="form-check" ng-if="isPHP()" ng-class="{ 'input-changed': data.fallback_php !== defaultData.fallback_php }" ng-cloak>
 										<input class="form-check-input" type="checkbox" id="fallback_php" ng-model="data.fallback_php">
 										<label class="form-check-label" for="fallback_php">index.php</label>
 									</div>
-									<div class="form-subgroup" ng-if="isFallbackHTML() && isFallbackPHP()">
+									<div class="form-subgroup" ng-if="isFallbackHTML() && isFallbackPHP()" ng-cloak>
 										<div class="form-group pl-1">
-											<input type="text" class="form-control form-control-sm" ng-model="data.fallback_php_path"  ng-class="{ 'input-changed': data.fallback_php_path !== defaultData.fallback_php_path }">
+											<input type="text"
+												class="form-control form-control-sm"
+												ng-model="data.fallback_php_path"
+												ng-class="{ 'input-changed': data.fallback_php_path !== defaultData.fallback_php_path }">
 										</div>
 									</div>
 								</div>
@@ -492,6 +504,16 @@
 									<pre><code class="nginx" ng-include="'templates/conf/_wordpress.conf.html?v=COMMIT_HASH'" onload="refreshHighlighting()"></code></pre>
 								</div><div id="file-wordpress" class="code highlighted"></div>
 							</section>
+							<section class="col-xl-6 grid-item file" ng-if="isDrupal() && isModularized()" ng-cloak>
+								<strong>/etc/nginx/_drupal.conf</strong>
+								<button class="btn btn-light btn-clipboard" ngclipboard data-clipboard-target="#file-drupal" ngclipboard-success="clipboardSuccess('_drupal.conf')">
+									<img src="assets/img/clipboard-dark.svg" alt="Copy to clipboard">
+								</button>
+								<span class="clipboard-success" ng-if="clipboardCopy === '_drupal.conf'">Copied!</span>
+								<div class="code source" data-filename="_drupal.conf">
+									<pre><code class="nginx" ng-include="'templates/conf/_drupal.conf.html?v=COMMIT_HASH'" onload="refreshHighlighting()"></code></pre>
+								</div><div id="file-drupal" class="code highlighted"></div>
+							</section>
 						</div>
 					</main>
 				</div>
diff --git a/public/templates/conf/_drupal.conf.html b/public/templates/conf/_drupal.conf.html
new file mode 100644
index 0000000..938bbfc
--- /dev/null
+++ b/public/templates/conf/_drupal.conf.html
@@ -0,0 +1,20 @@
+# Drupal: deny private files
+location ~ ^/sites/.*/private/ {
+	deny all;
+}
+
+# Drupal: deny php in files
+location ~ ^/sites/[^/]+/files/.*\.php$ {
+	deny all;
+}
+
+# Drupal: deny php in vendor
+location ~ /vendor/.*\.php$ {
+	deny all;
+}<span ng-if="isLimitReq()">
+
+# Drupal: throttle user functions
+location ~ ^/user/(?:login|register|password) {
+	limit_req zone=login burst=2 nodelay;
+	try_files $uri /index.php?$query_string;
+}</span>
diff --git a/public/templates/conf/_wordpress.conf.html b/public/templates/conf/_wordpress.conf.html
index dc00feb..60fc54b 100644
--- a/public/templates/conf/_wordpress.conf.html
+++ b/public/templates/conf/_wordpress.conf.html
@@ -1,34 +1,34 @@
-# allow tinymce
+# WordPress: allow TinyMCE
 location = /wp-includes/js/tinymce/wp-tinymce.php {
 	include _php_fastcgi.conf;
 }
 
-# wp-content, wp-includes php files
+# WordPress: deny wp-content, wp-includes php files
 location ~* ^/(?:wp-content|wp-includes)/.*\.php$ {
 	deny all;
 }
 
-# wp-content/uploads nasty stuff
+# WordPress: deny wp-content/uploads nasty stuff
 location ~* ^/wp-content/uploads/.*\.(?:s?html?|php|js|swf)$ {
 	deny all;
 }
 
-# wp-content/plugins nasty stuff
+# WordPress: deny wp-content/plugins nasty stuff
 location ~* ^/wp-content/plugins/.*\.(?!{{ extensions.assets }}|{{ extensions.fonts }}|{{ extensions.svg }}|{{ extensions.images }}|{{ extensions.audio }}|{{ extensions.video }}|{{ extensions.docs }}) {
 	deny all;
 }
 
-# disable scripts and styles concat
+# WordPress: deny scripts and styles concat
 location ~* \/wp-admin\/load-(?:scripts|styles)\.php {
 	deny all;
 }
 
-# WordPress stuff
+# WordPress: deny general stuff
 location ~* ^/(?:xmlrpc\.php|wp-links-opml\.php|wp-config\.php|wp-config-sample\.php|wp-comments-post\.php|readme\.html|license\.txt)$ {
 	deny all;
 }<span ng-if="isLimitReq()">
 
-# wp-login.php throttle
+# WordPress: throttle wp-login.php
 location = /wp-login.php {
 	limit_req zone=login burst=2 nodelay;
 	include _php_fastcgi.conf;
diff --git a/public/templates/conf/example.com.conf.html b/public/templates/conf/example.com.conf.html
index 5e33c1f..a20a501 100644
--- a/public/templates/conf/example.com.conf.html
+++ b/public/templates/conf/example.com.conf.html
@@ -80,7 +80,11 @@ server {<!--
 
 	✔ unified && ✔ WordPress --><span ng-if="isUnified() && isWordPress()">
 
-<!-- --><ng-include ng-include-tabs="2" src="'templates/conf/_wordpress.conf.html?v=COMMIT_HASH'" onload="refreshHighlighting()"></ng-include></span>
+<!-- --><ng-include ng-include-tabs="2" src="'templates/conf/_wordpress.conf.html?v=COMMIT_HASH'" onload="refreshHighlighting()"></ng-include></span><!--
+
+	✔ unified && ✔ Drupal --><span ng-if="isUnified() && isDrupal()">
+
+<!-- --><ng-include ng-include-tabs="2" src="'templates/conf/_drupal.conf.html?v=COMMIT_HASH'" onload="refreshHighlighting()"></ng-include></span>
 }<!--