diff --git a/src/EventSubscriber/SecKitEventSubscriber.php b/src/EventSubscriber/SecKitEventSubscriber.php
index 418ff37..08f5989 100644
--- a/src/EventSubscriber/SecKitEventSubscriber.php
+++ b/src/EventSubscriber/SecKitEventSubscriber.php
@@ -9,6 +9,7 @@ namespace Drupal\seckit\EventSubscriber;
 
 use Symfony\Component\HttpKernel\KernelEvents;
 use Symfony\Component\HttpKernel\Event\GetResponseEvent;
+use Symfony\Component\HttpKernel\Event\FilterResponseEvent;
 use Symfony\Component\EventDispatcher\EventSubscriberInterface;
 use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
 use Drupal\Component\Utility\Xss;
@@ -16,8 +17,21 @@ use Drupal\Component\Utility\Xss;
 class SecKitEventSubscriber implements EventSubscriberInterface {
 
   protected $config;
+
+  /**
+   * Request object.
+   *
+   * @var Request
+   */
   protected $request;
 
+  /**
+   * Response object.
+   *
+   * @var Response
+   */
+  protected $response;
+
   public function __construct() {
     $this->config = \Drupal::config('seckit.settings');
   }
@@ -29,6 +43,12 @@ class SecKitEventSubscriber implements EventSubscriberInterface {
     if ($this->config->get('seckit_csrf.origin')) {
       $this->_seckit_origin();
     }
+  }
+
+  public function onKernelResponse(FilterResponseEvent $event) {
+    $this->response = $event->getResponse();
+
+    // execute necessary functions
     if ($this->config->get('seckit_xss.csp.checkbox')) {
       $this->_seckit_csp();
     }
@@ -112,7 +132,7 @@ class SecKitEventSubscriber implements EventSubscriberInterface {
     $warning = t('Possible CSRF attack was blocked. IP address: @ip, Origin: @origin.', $args);
     watchdog('seckit', $warning, array(), WATCHDOG_WARNING);
     // abort request
-    drupal_add_http_header('Status', '403 Forbidden');
+    $this->response->headers->set('Status', '403 Forbidden');
     throw new AccessDeniedHttpException($warning);
   }
 
@@ -185,14 +205,14 @@ class SecKitEventSubscriber implements EventSubscriberInterface {
     if ($directives) {
       if ($csp_report_only) {
         // use report-only mode
-        drupal_add_http_header('Content-Security-Policy-Report-Only', $directives); // official name
-        drupal_add_http_header('X-Content-Security-Policy-Report-Only', $directives); // Firefox and IE10
-        drupal_add_http_header('X-WebKit-CSP-Report-Only', $directives); // Chrome and Safari
+        $this->response->headers->set('Content-Security-Policy-Report-Only', $directives); // official name
+        $this->response->headers->set('X-Content-Security-Policy-Report-Only', $directives); // Firefox and IE10
+        $this->response->headers->set('X-WebKit-CSP-Report-Only', $directives); // Chrome and Safari
       }
       else {
-        drupal_add_http_header('Content-Security-Policy', $directives); // official name
-        drupal_add_http_header('X-Content-Security-Policy', $directives); // Firefox and IE10
-        drupal_add_http_header('X-WebKit-CSP', $directives); // Chrome and Safari
+        $this->response->headers->set('Content-Security-Policy', $directives); // official name
+        $this->response->headers->set('X-Content-Security-Policy', $directives); // Firefox and IE10
+        $this->response->headers->set('X-WebKit-CSP', $directives); // Chrome and Safari
       }
     }
   }
@@ -205,11 +225,11 @@ class SecKitEventSubscriber implements EventSubscriberInterface {
   public function _seckit_x_xss($setting) {
     switch ($setting) {
       case SECKIT_X_XSS_0:
-        drupal_add_http_header('X-XSS-Protection', '0'); // set X-XSS-Protection header to 0
+        $this->response->headers->set('X-XSS-Protection', '0'); // set X-XSS-Protection header to 0
         break;
 
       case SECKIT_X_XSS_1:
-        drupal_add_http_header('X-XSS-Protection', '1; mode=block'); // set X-XSS-Protection header to 1; mode=block
+        $this->response->headers->set('X-XSS-Protection', '1; mode=block'); // set X-XSS-Protection header to 1; mode=block
         break;
 
       case SECKIT_X_XSS_DISABLE:
@@ -222,7 +242,7 @@ class SecKitEventSubscriber implements EventSubscriberInterface {
    * Sends X-Content-Type-Options HTTP response header.
    */
   public function _seckit_x_content_type_options() {
-    drupal_add_http_header('X-Content-Type-Options', 'nosniff');
+    $this->response->headers->set('X-Content-Type-Options', 'nosniff');
   }
 
   /**
@@ -238,11 +258,11 @@ class SecKitEventSubscriber implements EventSubscriberInterface {
   public function _seckit_x_frame($setting) {
     switch ($setting) {
       case SECKIT_X_FRAME_SAMEORIGIN:
-        drupal_add_http_header('X-Frame-Options', 'SameOrigin'); // set X-Frame-Options to SameOrigin
+        $this->response->headers->set('X-Frame-Options', 'SameOrigin'); // set X-Frame-Options to SameOrigin
         break;
 
       case SECKIT_X_FRAME_DENY:
-        drupal_add_http_header('X-Frame-Options', 'Deny'); // set X-Frame-Options to Deny
+        $this->response->headers->set('X-Frame-Options', 'Deny'); // set X-Frame-Options to Deny
         break;
 
       case SECKIT_X_FRAME_ALLOW_FROM:
@@ -250,7 +270,7 @@ class SecKitEventSubscriber implements EventSubscriberInterface {
         $allowed = explode(',', $allowed);
         if (count($allowed) == 1) {
           $value = array_pop($allowed);
-          drupal_add_http_header('X-Frame-Options', "Allow-From: $value");
+          $this->response->headers->set('X-Frame-Options', "Allow-From: $value");
         }
         // If there were multiple values, then seckit_boot() took care of it.
         break;
@@ -263,6 +283,7 @@ class SecKitEventSubscriber implements EventSubscriberInterface {
 
   static function getSubscribedEvents() {
     $events[KernelEvents::REQUEST][] = array('onKernelRequest', 100);
+    $events[KernelEvents::RESPONSE][] = array('onKernelResponse');
     return $events;
   }
 
@@ -275,7 +296,13 @@ class SecKitEventSubscriber implements EventSubscriberInterface {
    * We need it, because Drupal API doesn't allow to init HTML elements in desired sequence.
    */
   public function _seckit_js_css_noscript() {
-    _drupal_add_js($this->_seckit_get_js_css_noscript_code(), array('type' => 'inline'));
+    //@todo Consider batter solution?
+    $content = $this->response->getContent();
+    $head_close_position = strpos($content, '</head>');
+    if ($head_close_position) {
+      $content = substr_replace($content, $this->_seckit_get_js_css_noscript_code(), $head_close_position, 0);
+      $this->response->setContent($content);
+    }
   }
 
   /**
@@ -292,9 +319,6 @@ class SecKitEventSubscriber implements EventSubscriberInterface {
     $message = Xss::filter($noscript_message);
     $path = base_path() . drupal_get_path('module', 'seckit');
     return <<< EOT
-        // close script tag for SecKit protection
-        //--><!]]>
-        </script>
         <script type="text/javascript" src="$path/js/seckit.document_write.js"></script>
         <link type="text/css" rel="stylesheet" id="seckit-clickjacking-no-body" media="all" href="$path/css/seckit.no_body.css" />
         <!-- stop SecKit protection -->
@@ -304,9 +328,6 @@ class SecKitEventSubscriber implements EventSubscriberInterface {
           <h1>$message</h1>
         </div>
         </noscript>
-        <script type="text/javascript">
-        <!--//--><![CDATA[//><!--
-        // open script tag to avoid syntax errors
 EOT;
   }
 
@@ -329,7 +350,7 @@ EOT;
     }
     $header = implode('; ', $header);
     // send HSTS header
-    drupal_add_http_header('Strict-Transport-Security', $header);
+    $this->response->headers->set('Strict-Transport-Security', $header);
   }
 
 
@@ -341,6 +362,6 @@ EOT;
    */
   public function _seckit_from_origin() {
     $value = $this->config->get('seckit_various.from_origin_destination');
-    drupal_add_http_header('From-Origin', $value);
+    $this->response->headers->set('From-Origin', $value);
   }
 }