Other Security Kits
Security Kit for XSS, CSRF, SSL/TLS, Expect-CT, and More
Last updated
Security Kit for XSS, CSRF, SSL/TLS, Expect-CT, and More
Last updated
To configure the Security Kit module in your site, navigate to: Administration \ Configuration \ System \ Security Kit settings
The configuration page allows you to configure settings to tighten your website's security regarding:
Cross-site Scripting (XSS)
Content Security Policy (CSP): Content Security Policy is a policy framework that allows to specify trustworthy sources of content and to restrict its capabilities. You may read more about it at Mozilla Wiki.
X-XSS-Protection header: X-XSS-Protection HTTP response header controls Microsoft Internet Explorer, Google Chrome and Apple Safari internal XSS filters.
Cross-site Request Forgery (CSRF): Configure levels and various techniques of protection from cross-site request forgery attacks.
Clickjacking
X-Frame-Options header: Configure the X-Frame-Options HTTP header.
JavaScript-based protection: Warning: With this enabled, the site will not work at all for users who have JavaScript disabled (e.g. users running the popular NoScript browser extension, if they haven't whitelisted your site).
SSL/TLS: Configure various techniques to improve security of SSL/TLS
Expect-CT: Configure the Expect-CT header which allows sites to opt in to reporting and/or enforcement of Certificate Transparency requirements. See Mozilla's developer documentation.
Feature policy: Allows configuration of the Feature-Policy header to selectively enable, disable, and modify the behavior of certain APIs and web features in the browser. See Google's developer documentation.
Miscellaneous: Configure miscellaneous unsorted security enhancements such as:
From-Origin HTTP response header
Referrer-Policy HTTP response header
All necessary documentation and examples of usage are on the settings page.
