Add Feature-Policy in Drupal 8 with the Security Kit Module

The Feature-Policy HTTP header specifies what browser features can be used on a website and its <iframe> elements. The most common browser features among a long list are autoplay (for videos), camera, fullscreen, and microphone.

Below we’ll cover how to install the Security Kit module in Drupal 8 and enable Feature Policy.

Get high performance and security with our VPS Drupal Hosting.

Install Security Kit

  1. Login to Drupal.
  2. Install the Drupal module using the Security Kit download link.
  3. Click Install at the bottom.

Enable Feature Policy

  1. Click Configuration at the top.
  2. Under System, Click Security Kit settings.
  3. At the bottom, click Feature Policy to expand its settings.
  4. Check the box beside Feature policy.
  5. Add any directives and their allowlist options:
    * – allowed
    'self' – allowed only from same website
    'none' – disabled
    [specified-domain(s)]
    For example, to disable autoplay, camera, geolocation, microphone, and MIDI, but enable audio from all internal and embedded iframes on your website:
    "autoplay 'none'; camera 'none'; geolocation 'none'; microphone 'none'; midi *; speaker 'self' https://example2.com;"
  6. Click Save configuration.

Test your results at SecurityHeaders.com. If you want more security, add Content-Security-Policy (CSP) and HTTP Strict Transport Security (HSTS) to your websites. Then, when someone asks “what is Drupal?”, you can simply reply “secure”.

Was this article helpful? Let us know!