Add Feature-Policy in Drupal 8 with the Security Kit Module

The Feature-Policy HTTP header specifies what browser features can be used on a website and its <iframe> elements. The most common browser features among a long list are autoplay (for videos), camera, fullscreen, and microphone.

Below we’ll cover how to install the Security Kit module in Drupal 8 and enable Feature Policy.

Get high performance and security with our Managed Drupal Hosting.

Install Security Kit

  1. Login to Drupal.
  2. Install the Drupal module using the Security Kit download link.
  3. Click Install at the bottom.

Enable Feature Policy

  1. Click Configuration at the top.
  2. Under System, Click Security Kit settings.
  3. At the bottom, click Feature Policy to expand its settings.
  4. Check the box beside Feature policy.
  5. Add any directives and their allowlist options:
    * – allowed
    'self' – allowed only from same website
    'none' – disabled
    For example, to disable autoplay, camera, geolocation, microphone, and MIDI, but enable audio from all internal and embedded iframes on your website:
    "autoplay 'none'; camera 'none'; geolocation 'none'; microphone 'none'; midi *; speaker 'self';"
  6. Click Save configuration.

Test your results at If you want more security, add Content-Security-Policy (CSP) and HTTP Strict Transport Security (HSTS) to your websites. Then, when someone asks “what is Drupal?”, you can simply reply “secure”.

InMotion Hosting Contributor
InMotion Hosting Contributor Content Writer

InMotion Hosting contributors are highly knowledgeable individuals who create relevant content on new trends and troubleshooting techniques to help you achieve your online goals!

More Articles by InMotion Hosting

Was this article helpful? Join the conversation!