This will be the first article in a series about HTTP security headers and Drupal: what they are, why you should care about them, and how to implement them to increase the security of your Drupal 7, 8, 9 or 10 site.
- Part 2: Permissions Policy
- Part 3: X Marks the Spot
- Part 4: Content Security Policy
What are they?
A security header is a special type of HTTP header that can be provided by a web server to a client browser to harden an application against certain vulnerabilities or attack vectors.
Why should I care?
Utilizing security headers is a quick and easy method of increasing your Drupal site’s security. There are, with a few caveats, almost no downsides to using them and, Drupal being Drupal, some handy contributed modules available that makes configuring them quick and painless.
What headers are available?
This is not an exhaustive list, but rather a list of what I believe to be the most impactful security headers you can use on a Drupal site:
Permissions Policy allows a site to control which features can be used in the browser (for example, microphone, camera, location, etc.). This is a new implementation of the (now) legacy/deprecated Feature Policy header.
Strict Transport Security strengthens your site’s implementation of TLS/SSL by getting the web browser’s User Agent to enforce the use of HTTPS.
X Content Type Options stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type.
X Frame Options tells the browser whether you want to allow your site to be framed (displayed in an iframe element) or not. By preventing a browser from framing your site you can defend against clickjacking attacks.
Content Security Policy (CSP) is a measure to protect your site from cross site scripting (XSS) attacks. By whitelisting sources of approved content, you can prevent the browser from loading other, potentially malicious assets. This is the trickiest and most time consuming header of the bunch to configure.
How do I set them?
As with most things Drupal, there are contributed modules for that!
The Seckit module allows you to set a number of security headers via configuration, including Content Security Policy, Referrer Policy, and X Frame Options (Drupal 7, 8, 9, and 10 versions available).
The Permissions Policy module allows you to, as the name implies, set the Permissions Policy header via a nice configuration interface (Drupal 8, 9, and 10 only).
You can also manually add security (and other) headers via an appropriate hook within a custom module (Drupal 7) or via a new event subscriber within a custom module (Drupal 8-10) if you’d like more granular or programmatic control over them.
You can check how your site's current header configuration measures up with the following tool: https://securityheaders.com/
In future articles, I will be addressing each of the headers I listed above and how to use the Seckit, Permissions Policy, and custom modules to set them on your Drupal 7, 8, 9, or 10 site.