Module Description
SecKit provides Drupal with various security-hardening options. This lets your mitigate the risks of exploitation of different web application vulnerabilities.
Cross-site Scripting Content Security Policy implementation via Сontent-Security-Policy (official name), X-Content-Security-Policy (Firefox and IE) and X-WebKit-CSP (Chrome and Safari) HTTP response headers (configuration page and reporting CSP violations to watchdog)
Control over Internet Explorer / Apple Safari / Google Chrome internal XSS filter via X-XSS-Protection HTTP response header
Fix of Drupal 6 core module Upload issue http://drupal.org/node/803430 (Drupal 7 version lacks this option as long as Upload was replaced with FileField module)
Prevent content upsniffing and serving files with incorrect MIME-type via X-Content-Type-Options: nosniff HTTP response header (now provided by core in Drupal 7+)
Cross-site Request Forgery Handling of Origin HTTP request header
Clickjacking Implementation of X-Frame-Options HTTP response header
JavaScript + CSS + Noscript protection with customizable text for disabled JavaScript message
SSL/TLS Implementation of HTTP Strict-Transport-Security (HSTS) response header, preventing man-in-the-middle and eavesdropping attacks
Various Implementation of From-Origin HTTP response header
Documentation Documentation and examples of usage are included on the module's settings form. You may also take a look at http://www.browserscope.org/?category=security to figure out current status of browsers support.
The various HTTP headers are comprehensively documented at the Mozilla Developer Network (MDN Web Docs).
Content Security Policy
* https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
* https://www.w3.org/TR/CSP/ (published spec)
* https://w3c.github.io/webappsec-csp/ (draft spec)
* https://report-uri.com/home/generate
Other HTTP headers
* Expect-CT
* Feature-Policy
* Origin
* Referrer-Policy
* Strict-Transport-Security
* X-Content-Type-Options
* X-Frame-Options
* X-XSS-Protection
Verifying response headers You can observe the response headers generated by Drupal and SecKit on the command line with curl -I <URL>
Alternatively, use your web browser's developer tools (type F12 usually), select the "Network" tab, refresh the page, click on the page request (filter the list by "HTML" if it helps), and then look through the response headers for that request.
Related modules SecKit Override Overrides are set by a series of URLs within the site, including optional wildcards. For any given URL pattern, some or all Security Kit settings can be overridden. Any settings which are not overridden will inherit the global setting. If multiple patterns match a given URL, then the overrides of each match are applied in order. The final resulting settings are the result of all of the matching overrides combined on top of the global settings.
Cross-site Scripting Content Security Policy implementation via Сontent-Security-Policy (official name), X-Content-Security-Policy (Firefox and IE) and X-WebKit-CSP (Chrome and Safari) HTTP response headers (configuration page and reporting CSP violations to watchdog)
Control over Internet Explorer / Apple Safari / Google Chrome internal XSS filter via X-XSS-Protection HTTP response header
Fix of Drupal 6 core module Upload issue http://drupal.org/node/803430 (Drupal 7 version lacks this option as long as Upload was replaced with FileField module)
Prevent content upsniffing and serving files with incorrect MIME-type via X-Content-Type-Options: nosniff HTTP response header (now provided by core in Drupal 7+)
Cross-site Request Forgery Handling of Origin HTTP request header
Clickjacking Implementation of X-Frame-Options HTTP response header
JavaScript + CSS + Noscript protection with customizable text for disabled JavaScript message
SSL/TLS Implementation of HTTP Strict-Transport-Security (HSTS) response header, preventing man-in-the-middle and eavesdropping attacks
Various Implementation of From-Origin HTTP response header
Documentation Documentation and examples of usage are included on the module's settings form. You may also take a look at http://www.browserscope.org/?category=security to figure out current status of browsers support.
The various HTTP headers are comprehensively documented at the Mozilla Developer Network (MDN Web Docs).
Content Security Policy
* https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
* https://www.w3.org/TR/CSP/ (published spec)
* https://w3c.github.io/webappsec-csp/ (draft spec)
* https://report-uri.com/home/generate
Other HTTP headers
* Expect-CT
* Feature-Policy
* Origin
* Referrer-Policy
* Strict-Transport-Security
* X-Content-Type-Options
* X-Frame-Options
* X-XSS-Protection
Verifying response headers You can observe the response headers generated by Drupal and SecKit on the command line with curl -I <URL>
Alternatively, use your web browser's developer tools (type F12 usually), select the "Network" tab, refresh the page, click on the page request (filter the list by "HTML" if it helps), and then look through the response headers for that request.
Related modules SecKit Override Overrides are set by a series of URLs within the site, including optional wildcards. For any given URL pattern, some or all Security Kit settings can be overridden. Any settings which are not overridden will inherit the global setting. If multiple patterns match a given URL, then the overrides of each match are applied in order. The final resulting settings are the result of all of the matching overrides combined on top of the global settings.
Module Link
Project Usage
61518
Security Covered
Covered By Security Advisory
Version Available
Production
Module Summary
SecKit aims to enhance Drupal security by providing various security-hardening options to mitigate the risks of exploitation of different web application vulnerabilities.
Data Name
seckit