Security Kit

SecKit provides Drupal with various security-hardening options. This lets your mitigate the risks of exploitation of different web application vulnerabilities.

Cross-site Scripting

Content Security Policy implementation via Сontent-Security-Policy (official name), X-Content-Security-Policy (Firefox and IE) and X-WebKit-CSP (Chrome and Safari) HTTP response headers (configuration page and reporting CSP violations to watchdog)

Control over Internet Explorer / Apple Safari / Google Chrome internal XSS filter via X-XSS-Protection HTTP response header

Fix of Drupal 6 core module Upload issue http://drupal.org/node/803430 (Drupal 7 version lacks this option as long as Upload was replaced with FileField module)

Prevent content upsniffing and serving files with incorrect MIME-type via X-Content-Type-Options: nosniff HTTP response header (now provided by core in Drupal 7+)

Cross-site Request Forgery

Handling of Origin HTTP request header

Clickjacking

Implementation of X-Frame-Options HTTP response header

JavaScript + CSS + Noscript protection with customizable text for disabled JavaScript message

SSL/TLS

Implementation of HTTP Strict-Transport-Security (HSTS) response header, preventing man-in-the-middle and eavesdropping attacks

Various

Implementation of From-Origin HTTP response header

Documentation

Documentation and examples of usage are included on the module's settings form. You may also take a look at http://www.browserscope.org/?category=security to figure out current status of browsers support.

The various HTTP headers are comprehensively documented at the Mozilla Developer Network (MDN Web Docs).

Content Security Policy

• https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
• https://www.w3.org/TR/CSP/ (published spec)
• https://w3c.github.io/webappsec-csp/ (draft spec)
• https://report-uri.com/home/generate

Other HTTP headers

• Expect-CT
• Feature-Policy
• Origin
• Referrer-Policy
• Strict-Transport-Security
• X-Content-Type-Options
• X-Frame-Options
• X-XSS-Protection

Verifying response headers

You can observe the response headers generated by Drupal and SecKit on the command line with curl -I <URL>

Alternatively, use your web browser's developer tools (type F12 usually), select the "Network" tab, refresh the page, click on the page request (filter the list by "HTML" if it helps), and then look through the response headers for that request.

Related modules

SecKit Override

Overrides are set by a series of URLs within the site, including optional wildcards. For any given URL pattern, some or all Security Kit settings can be overridden. Any settings which are not overridden will inherit the global setting. If multiple patterns match a given URL, then the overrides of each match are applied in order. The final resulting settings are the result of all of the matching overrides combined on top of the global settings.