Security Kit

SecKit provides Drupal with various security-hardening options. This lets your mitigate the risks of exploitation of different web application vulnerabilities.

Cross-site Scripting

Content Security Policy implementation via Сontent-Security-Policy (official name), X-Content-Security-Policy (Firefox and IE) and X-WebKit-CSP (Chrome and Safari) HTTP response headers (configuration page and reporting CSP violations to watchdog)

Control over Internet Explorer / Apple Safari / Google Chrome internal XSS filter via X-XSS-Protection HTTP response header

Fix of Drupal 6 core module Upload issue http://drupal.org/node/803430 (Drupal 7 version lacks this option as long as Upload was replaced with FileField module)

Prevent content upsniffing and serving files with incorrect MIME-type via X-Content-Type-Options: nosniff HTTP response header

Cross-site Request Forgery

Handling of Origin HTTP request header

Clickjacking

Implementation of X-Frame-Options HTTP response header

JavaScript + CSS + Noscript protection with customizable text for disabled JavaScript message

SSL/TLS

Implementation of HTTP Strict Transport Security (HSTS) response header, preventing man-in-the-middle and eavesdropping attacks

Various

Implementation of From-Origin HTTP response header

Documentation

All necessary documentation and examples of usage are on settings page of module. You may also take a look at http://www.browserscope.org/?category=security to figure out current status of browsers support.

Upcoming releases

Preparations for the 7.x-1.10 release are under way. Please 'follow' this issue to track the release candidate(s) and testing.