Module provides Drupal installation with various security hardening options. This lets your mitigate the risks of exploitation of different web application vulnerabilities.
- Content Security Policy implementation via Сontent-Security-Policy (official name), X-Content-Security-Policy (Firefox and IE) and X-WebKit-CSP (Chrome and Safari) HTTP response headers (configuration page and reporting CSP violations to watchdog)
- Control over Internet Explorer / Apple Safari / Google Chrome internal XSS filter via X-XSS-Protection HTTP response header
- Fix of Drupal 6 core module Upload issue http://drupal.org/node/803430 (Drupal 7 version lacks this option as long as Upload was replaced with FileField module)
- Prevent content upsniffing and serving files with incorrect MIME-type via X-Content-Type-Options: nosniff HTTP response header
Cross-site Request Forgery
- Handling of Origin HTTP request header
- Implementation of X-Frame-Options HTTP response header
- Implementation of HTTP Strict Transport Security response header, preventing man-in-the-middle and eavesdropping attacks
- Implementation of From-Origin HTTP response header
All necessary documentation and examples of usage are on settings page of module. You may also take a look at http://www.browserscope.org/?category=security to figure out current status of browsers support.
- CSP reports from Google Chrome doesn't work. Chrome doesn't send cookies and thus menu returns 403