diff --git a/config/install/seckit.settings.yml~ b/config/install/seckit.settings.yml~
deleted file mode 100644
index 731bdaf..0000000
--- a/config/install/seckit.settings.yml~
+++ /dev/null
@@ -1,38 +0,0 @@
-seckit_xss:
-  csp:
-    checkbox: 0
-    report-only: 0
-    default-src: ''
-    script-src: ''
-    object-src: ''
-    img-src: ''
-    media-src: ''
-    frame-src: ''
-    font-src: ''
-    connect-src: ''
-    report-uri: ''
-    policy-uri: ''
-  x_xss:
-    seckit_x_xss_option_disable: 'Disabled'
-    seckit_x_xss_option_0: '0'
-    seckit_x_xss_option_1: '1; mode=block'
-    select: 0
-seckit_csrf:
-  origin: 1
-  origin_whitelist: ''
-seckit_clickjacking:
-  js_css_noscript: 0
-  noscript_message: ''
-  x_frame:
-    SECKIT_X_FRAME_DISABLE: 'Disabled'
-    SECKIT_X_FRAME_SAMEORIGIN: 'SameOrigin'
-    SECKIT_X_FRAME_DENY: 'Deny'
-    SECKIT_X_FRAME_ALLOW_FROM: 'Allow-From'
-  x_frame_allow_from: ''
-seckit_ssl:
-  hsts: 0
-  hsts_subdomains: 0
-  hsts_max_age: ''
-seckit_various:
-  from_origin: 0
-  from_origin_destination: ''
diff --git a/seckit.libraries.yml b/seckit.libraries.yml
new file mode 100644
index 0000000..0426212
--- /dev/null
+++ b/seckit.libraries.yml
@@ -0,0 +1,3 @@
+seckit/listener:
+  js:
+    js/seckit.listener.js: {}
diff --git a/src/Form/SecKitSettingsForm.php b/src/Form/SecKitSettingsForm.php
index 42ffdfa..504c84a 100644
--- a/src/Form/SecKitSettingsForm.php
+++ b/src/Form/SecKitSettingsForm.php
@@ -9,6 +9,7 @@ namespace Drupal\seckit\Form;
 
 use Drupal\Core\Form\ConfigFormBase;
 use Drupal\Core\Form\FormStateInterface;
+use Drupal\Core\Url;
 
 /**
  * Implements a form to collect security check configuration.
@@ -22,15 +23,22 @@ class SecKitSettingsForm extends ConfigFormBase {
   }
 
   /**
+   * {@inheritdoc}
+   */
+  protected function getEditableConfigNames() {
+    return ['seckit.settings'];
+  }
+
+  /**
    * {@inheritdoc}.
    */
   public function buildForm(array $form, FormStateInterface $form_state) {
     $module_path = drupal_get_path('module', 'seckit');
-    $form['#attached']['js'][] = $module_path . '/js/seckit.listener.js';
+    $form['#attached']['library'][] = 'seckit/listener';
 
     $config = \Drupal::config('seckit.settings');
     // main description
-    $args['!browserscope'] =  t('<a href="@url">Browserscope</a>', array('@url' => url('http://www.browserscope.org/?category=security')));
+    $args['!browserscope'] =  t('<a href="@url">Browserscope</a>', array('@url' => Url::fromUri('http://www.browserscope.org/?category=security')));
     $form['seckit_description'] = array(
       '#type' => 'item',
       '#description' => t('This module provides your website with various options to mitigate risks of common web application vulnerabilities like Cross-site Scripting, Cross-site Request Forgery and Clickjacking. It also has some options to improve your SSL/TLS security and fixes Drupal 6 core Upload module issue leading to an easy exploitation of an old Internet Explorer MIME sniffer HTML injection vulnerability. Note that some security features are not supported by all browsers. You may find this out at !browserscope.', $args),
@@ -48,7 +56,7 @@ class SecKitSettingsForm extends ConfigFormBase {
 
     // fieldset for Content Security Policy (CSP)
 
-    $args['!wiki'] = t('<a href="@url">Mozilla Wiki</a>', array('@url' => url('https://wiki.mozilla.org/Security/CSP')));
+    $args['!wiki'] = t('<a href="@url">Mozilla Wiki</a>', array('@url' => Url::fromUri('https://wiki.mozilla.org/Security/CSP')));
     $description = t('Content Security Policy is a policy framework that allows to specify trustworthy sources of content and to restrict its capabilities. You may read more about it at !wiki.', $args);
     $form['seckit_xss']['csp'] = array(
       '#type' => 'details',
@@ -84,7 +92,7 @@ class SecKitSettingsForm extends ConfigFormBase {
     $args['!keywords'] = $this->_getItemsList($items);
     $items = array('* - load content from any source', '*.example.com - load content from example.com and all its subdomains', 'example.com:* - load content from example.com via any port.  Otherwise, it will use your website default port');
     $args['!wildcards'] =  $this->_getItemsList($items);
-    $args['!spec'] = t('<a href="@url">specification page</a>', array('@url' => url('http://www.w3.org/TR/CSP/')));
+    $args['!spec'] = t('<a href="@url">specification page</a>', array('@url' => Url::fromUri('http://www.w3.org/TR/CSP/')));
     $description = t("Set up security policy for different types of content. Don't use www prefix. Keywords are: !keywords Wildcards (*) are allowed: !wildcards More information is available at !spec.", $args);
     $form['seckit_xss']['csp']['description'] = array(
       '#type' => 'item',
@@ -196,7 +204,7 @@ class SecKitSettingsForm extends ConfigFormBase {
       SECKIT_X_XSS_1 => $config->get('seckit_xss.x_xss.seckit_x_xss_option_1', '1; mode=block'),
     );
     // configure X-XSS-Protection
-    $link = t('<a href="@url">IE\'s XSS filter security flaws in past</a>', array('@url' => url('http://hackademix.net/2009/11/21/ies-xss-filter-creates-xss-vulnerabilities')));
+    $link = t('<a href="@url">IE\'s XSS filter security flaws in past</a>', array('@url' => Url::fromUri('http://hackademix.net/2009/11/21/ies-xss-filter-creates-xss-vulnerabilities')));
     $items = array('Disabled - XSS filter will work in default mode. Enabled by default', '0 - XSS filter will be disabled for a website. It may be useful because of ' . $link, '1; mode=block - XSS filter will be left enabled, but it will block entire page instead of modifying dangerous content');
     $args['!values'] =  $this->_getItemsList($items);
     $form['seckit_xss']['x_xss']['select'] = array(
@@ -208,7 +216,7 @@ class SecKitSettingsForm extends ConfigFormBase {
     );
 
     // fieldset for X-Content-Type-Options
-    $args['!link'] = t('<a href="@url">MSDN article</a>', array('@url' => url('http://blogs.msdn.com/b/ie/archive/2010/10/26/mime-handling-changes-in-internet-explorer.aspx')));
+    $args['!link'] = t('<a href="@url">MSDN article</a>', array('@url' => Url::fromUri('http://blogs.msdn.com/b/ie/archive/2010/10/26/mime-handling-changes-in-internet-explorer.aspx')));
     $form['seckit_xss']['x_content_type'] = array(
       '#type' => 'details',
       '#title' => t('X-Content-Type-Options'),
@@ -272,8 +280,8 @@ class SecKitSettingsForm extends ConfigFormBase {
     // configure X-Frame-Options
     $items = array('Disabled - turn off X-Frame-Options', 'SameOrigin - browser allows all the attempts of framing website within its domain. Enabled by default', 'Deny - browser rejects any attempt of framing website', 'Allow-From - browser allows framing website only from specified source');
     $args['!values'] = $this->_getItemsList($items);
-    $args['!msdn'] =  t('<a href="@url">MSDN article</a>', array('@url' => url('http://blogs.msdn.com/b/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx')));
-    $args['!spec'] = t('<a href="@url">specification</a>', array('@url' => url('http://tools.ietf.org/html/draft-ietf-websec-x-frame-options-01')));
+    $args['!msdn'] =  t('<a href="@url">MSDN article</a>', array('@url' => Url::fromUri('http://blogs.msdn.com/b/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx')));
+    $args['!spec'] = t('<a href="@url">specification</a>', array('@url' => Url::fromUri('http://tools.ietf.org/html/draft-ietf-websec-x-frame-options-01')));
     $description = t("X-Frame-Options HTTP response header controls browser's policy of frame rendering. Possible values: !values You may read more about it at !msdn or !spec.", $args);
     $form['seckit_clickjacking']['x_frame'] = array(
       '#type' => 'select',
@@ -292,7 +300,7 @@ class SecKitSettingsForm extends ConfigFormBase {
     );
 
     // enable/disable JS + CSS + Noscript protection
-    $args['!link'] = t('<a href="@url">sirdarckcat</a>', array('@url' => url('http://www.sirdarckcat.net/')));
+    $args['!link'] = t('<a href="@url">sirdarckcat</a>', array('@url' => Url::fromUri('http://www.sirdarckcat.net/')));
     $args['%js'] = t('seckit.document_write.js');
     $args['%write'] = t('document.write()');
     $args['%stop'] = t('stop SecKit protection');
@@ -325,7 +333,7 @@ class SecKitSettingsForm extends ConfigFormBase {
       '#description' => t('Configure various techniques to improve security of SSL/TLS'),
     );
     // enable/disable HTTP Strict Transport Security (HSTS)
-    $args['!wiki'] = t('<a href="@url">Wikipedia</a>', array('@url' => url('http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security')));
+    $args['!wiki'] = t('<a href="@url">Wikipedia</a>', array('@url' => Url::fromUri('http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security')));
     $form['seckit_ssl']['hsts'] = array(
       '#type' => 'checkbox',
       '#title' => t('HTTP Strict Transport Security'),
@@ -358,7 +366,7 @@ class SecKitSettingsForm extends ConfigFormBase {
     );
 
     // enable/disable From-Origin
-    $args['!spec'] = t('<a href="@url">specification</a>', array('@url' => url('http://www.w3.org/TR/from-origin/')));
+    $args['!spec'] = t('<a href="@url">specification</a>', array('@url' => Url::fromUri('http://www.w3.org/TR/from-origin/')));
     $form['seckit_various']['from_origin'] = array(
       '#type' => 'checkbox',
       '#title' => t('From-Origin'),
@@ -383,23 +391,23 @@ class SecKitSettingsForm extends ConfigFormBase {
    */
   public function validateForm(array &$form, FormStateInterface $form_state) {
     // if From-Origin is enabled, it should be explicitly set
-    $from_origin_enable = $form_state['values']['seckit_various']['from_origin'];
-    $from_origin_destination = $form_state['values']['seckit_various']['from_origin_destination'];
+    $from_origin_enable = $form_state->getValue('seckit_various', 'from_origin');
+    $from_origin_destination = $form_state->getValue('seckit_various', 'from_origin_destination');
     if (($from_origin_enable == 1) && (!$from_origin_destination)) {
       form_error($form['seckit_various']['from_origin_destination'], $form_state, t('You have to set up trustworthy destination for From-Origin HTTP response header. Default is same.'));
     }
     // if X-Frame-Options is set to Allow-From, it should be explicitly set
-    $x_frame_value = $form_state['values']['seckit_clickjacking']['x_frame'];
+    $x_frame_value = $form_state->getValue('seckit_clickjacking', 'x_frame');
     if ($x_frame_value == SECKIT_X_FRAME_ALLOW_FROM) {
-      $x_frame_allow_from = $form_state['values']['seckit_clickjacking']['x_frame_allow_from'];
+      $x_frame_allow_from = $form_state->getValue('seckit_clickjacking', 'x_frame_allow_from');
       if (!$this->_seckit_explode_value($x_frame_allow_from)) {
         form_error($form['seckit_clickjacking']['x_frame_allow_from'], $form_state, t('You must specify a trusted Origin for the Allow-From value of the X-Frame-Options HTTP response header.'));
       }
     }
     // if HTTP Strict Transport Security is enabled, max-age must be specified.
     // HSTS max-age should only contain digits.
-    $hsts_enable = $form_state['values']['seckit_ssl']['hsts'];
-    $hsts_max_age = $form_state['values']['seckit_ssl']['hsts_max_age'];
+    $hsts_enable = $form_state->getValue('seckit_ssl', 'hsts');
+    $hsts_max_age = $form_state->getValue('seckit_ssl', 'hsts_max_age');
     if (($hsts_enable == 1) && (!$hsts_max_age)) {
       form_error($form['seckit_ssl']['hsts_max_age'], $form_state, t('You have to set up Max-Age value for HTTP Strict Transport Security. Default is 1000.'));
     }
@@ -408,8 +416,8 @@ class SecKitSettingsForm extends ConfigFormBase {
     }
     // if JS + CSS + Noscript Clickjacking protection is enabled,
     // custom text for disabled JS must be specified
-    $js_css_noscript_enable = $form_state['values']['seckit_clickjacking']['js_css_noscript'];
-    $noscript_message = $form_state['values']['seckit_clickjacking']['noscript_message'];
+    $js_css_noscript_enable = $form_state->getValue('seckit_clickjacking', 'js_css_noscript');
+    $noscript_message = $form_state->getValue('seckit_clickjacking', 'noscript_message');
     if (($js_css_noscript_enable == 1) && (!$noscript_message)) {
       form_error($form['seckit_clickjacking']['noscript_message'], $form_state, t('You have to set up Custom text for disabled JavaScript message when JS + CSS + Noscript protection is enabled.'));
     }
@@ -420,7 +428,7 @@ class SecKitSettingsForm extends ConfigFormBase {
    */
   public function submitForm(array &$form, FormStateInterface $form_state) {
     $list = [];
-    $this->buildAttributeList($list, $form_state['values']);
+    $this->buildAttributeList($list, $form_state->getValues());
     $config = $this->config('seckit.settings');
 
     foreach ($list as $key => $value) {
@@ -429,8 +437,8 @@ class SecKitSettingsForm extends ConfigFormBase {
 
     $config->save();
 
-    $from_origin_enable = $form_state['values']['seckit_various']['from_origin'];
-    $x_content_type_options_enable = $form_state['values']['seckit_xss']['x_content_type']['checkbox'];
+    $from_origin_enable = $form_state->getValue('seckit_various', 'from_origin');
+    $x_content_type_options_enable = $form_state->getValue('seckit_xss', 'x_content_type', 'checkbox');
     $file_system = file_default_scheme();
     if ($from_origin_enable && ($file_system == 'public')) {
       $msg = 'From-Origin HTTP response header will not be served for files because of public file system. It is recommended to enable private file system to ensure provided by From-Origin security.';