Other Security Kits
Security Kit for XSS, CSRF, SSL/TLS, Expect-CT, and More
To configure the Security Kit module in your site, navigate to: Administration \ Configuration \ System \ Security Kit settings
The configuration page allows you to configure settings to tighten your website's security regarding:
Cross-site Scripting (XSS)
Content Security Policy (CSP): Content Security Policy is a policy framework that allows to specify trustworthy sources of content and to restrict its capabilities. You may read more about it at Mozilla Wiki.
X-XSS-Protection header:
X-XSS-Protection
HTTP response header controls Microsoft Internet Explorer, Google Chrome and Apple Safari internal XSS filters.
Cross-site Request Forgery (CSRF): Configure levels and various techniques of protection from cross-site request forgery attacks.
Clickjacking
X-Frame-Options header: Configure the
X-Frame-Options
HTTP header.JavaScript-based protection: Warning: With this enabled, the site will not work at all for users who have JavaScript disabled (e.g. users running the popular NoScript browser extension, if they haven't whitelisted your site).
SSL/TLS: Configure various techniques to improve security of SSL/TLS
Expect-CT: Configure the
Expect-CT
header which allows sites to opt in to reporting and/or enforcement of Certificate Transparency requirements. See Mozilla's developer documentation.Feature policy: Allows configuration of the
Feature-Policy
header to selectively enable, disable, and modify the behavior of certain APIs and web features in the browser. See Google's developer documentation.Miscellaneous: Configure miscellaneous unsorted security enhancements such as:
From-Origin
HTTP response headerReferrer-Policy
HTTP response header
All necessary documentation and examples of usage are on the settings page.
Last updated