SecKit provides Drupal with various security-hardening options. This lets your mitigate the risks of exploitation of different web application vulnerabilities.
Cross-site Scripting
Content Security Policy implementation via Сontent-Security-Policy
(official name), X-Content-Security-Policy
(Firefox and IE) and X-WebKit-CSP
(Chrome and Safari) HTTP response headers (configuration page and reporting CSP violations to watchdog)
Control over Internet Explorer / Apple Safari / Google Chrome internal XSS filter via X-XSS-Protection
HTTP response header
Fix of Drupal 6 core module Upload issue http://drupal.org/node/803430 (Drupal 7 version lacks this option as long as Upload was replaced with FileField module)
Prevent content upsniffing and serving files with incorrect MIME-type via X-Content-Type-Options
: nosniff HTTP response header (now provided by core in Drupal 7+)
Cross-site Request Forgery
Handling of Origin
HTTP request header
Clickjacking
Implementation of X-Frame-Options
HTTP response header
JavaScript + CSS + Noscript protection with customizable text for disabled JavaScript message
SSL/TLS
Implementation of HTTP Strict-Transport-Security
(HSTS) response header, preventing man-in-the-middle and eavesdropping attacks
Various
Implementation of From-Origin
HTTP response header
Documentation
Documentation and examples of usage are included on the module's settings form. You may also take a look at http://www.browserscope.org/?category=security to figure out current status of browsers support.
The various HTTP headers are comprehensively documented at the Mozilla Developer Network (MDN Web Docs).
- Content Security Policy
- Other HTTP headers
- Verifying response headers
-
You can observe the response headers generated by Drupal and SecKit on the command line with
curl -I <URL>
Alternatively, use your web browser's developer tools (type F12 usually), select the "Network" tab, refresh the page, click on the page request (filter the list by "HTML" if it helps), and then look through the response headers for that request.
Related modules
- SecKit Override
- Overrides are set by a series of URLs within the site, including optional wildcards. For any given URL pattern, some or all Security Kit settings can be overridden. Any settings which are not overridden will inherit the global setting. If multiple patterns match a given URL, then the overrides of each match are applied in order. The final resulting settings are the result of all of the matching overrides combined on top of the global settings.
Project information
- Maintenance fixes only
Considered feature-complete by its maintainers. - Module categories: Security
- 64,620 sites report using this module
- Created by p0deje on , updated
- Stable releases for this project are covered by the security advisory policy.
Look for the shield icon below.
Releases
Drupal 10 compatibility
Development version: 2.x-dev updated 31 Jul 2023 at 12:48 UTC
Stable release for Drupal 7
Development version: 7.x-1.x-dev updated 3 Feb 2023 at 15:04 UTC