Add Feature-Policy in Drupal 8 with the Security Kit Module

The Feature-Policy HTTP header specifies what browser features can be used on a website and its <iframe> elements. The most common browser features among a long list are autoplay (for videos), camera, fullscreen, and microphone.

Below we’ll cover how to install the Security Kit module in Drupal 8 and enable Feature Policy.

Get high performance and security with our VPS Drupal Hosting.

Install Security Kit

  1. Login to Drupal.
  2. Install the Drupal module using the Security Kit download link.
  3. Click Install at the bottom.

Enable Feature Policy

  1. Click Configuration at the top.
  2. Under System, Click Security Kit settings.
  3. At the bottom, click Feature Policy to expand its settings.
  4. Check the box beside Feature policy.
  5. Add any directives and their allowlist options:
    * – allowed
    'self' – allowed only from same website
    'none' – disabled
    For example, to disable autoplay, camera, geolocation, microphone, and MIDI, but enable audio from all internal and embedded iframes on your website:
    "autoplay 'none'; camera 'none'; geolocation 'none'; microphone 'none'; midi *; speaker 'self';"
  6. Click Save configuration.
drupal security kit feature policy

Test your results at If you want more security, add Content-Security-Policy (CSP) and HTTP Strict Transport Security (HSTS) to your websites. Then, when someone asks “what is Drupal?”, you can simply reply “secure”.

Jacqueem Content Writer I

Technical writer focused on cybersecurity and musicianship.

More Articles by Jacqueem


It looks like this article doesn't have any comments yet - you can be the first. If you have any comments or questions, start the conversation!

Was this article helpful? Let us know!