Posted by p0deje on March 26, 2011 at 12:12pm
Module provides Drupal installation with various security hardening options. This lets your mitigate the risks of exploitation of different web application vulnerabilities.
Cross-site Scripting
- Content Security Policy implementation via Сontent-Security-Policy (official name), X-Content-Security-Policy (Firefox and IE) and X-WebKit-CSP (Chrome and Safari) HTTP response headers (configuration page and reporting CSP violations to watchdog)
- Control over Internet Explorer / Apple Safari / Google Chrome internal XSS filter via X-XSS-Protection HTTP response header
- Fix of Drupal 6 core module Upload issue http://drupal.org/node/803430 (Drupal 7 version lacks this option as long as Upload was replaced with FileField module)
- Prevent content upsniffing and serving files with incorrect MIME-type via X-Content-Type-Options: nosniff HTTP response header
Cross-site Request Forgery
- Handling of Origin HTTP request header
Clickjacking
- Implementation of X-Frame-Options HTTP response header
- JavaScript + CSS + Noscript protection with customizable text for disabled JavaScript message
SSL/TLS
- Implementation of HTTP Strict Transport Security response header, preventing man-in-the-middle and eavesdropping attacks
Various
- Implementation of From-Origin HTTP response header
Documentation
All necessary documentation and examples of usage are on settings page of module. You may also take a look at http://www.browserscope.org/?category=security to figure out current status of browsers support.
Known issues
- CSP reports from Google Chrome doesn't work. Chrome doesn't send cookies and thus menu returns 403
Downloads
Project Information
- Maintenance status: Actively maintained
- Development status: Under active development
- Reported installs: 387 sites currently report using this module. View usage statistics.
- Downloads: 58,384
- Last modified: September 16, 2012
