Should I use .htaccess or Security Kit for headers in Drupal?

Start with .htaccess for simplicity. Move to Security Kit if you need (a) CSP report-uri to catch violations before enforcement, (b) per-Drupal-role or per-content-type header policies, or (c) Drupal admin UI for non-developers to manage headers. For most static sites, .htaccess is fine.

Does Drupal Core enforce any security headers by default?

Drupal 10 ships .htaccess with X-Content-Type-Options nosniff enabled by default. The other five recommended headers (HSTS, X-Frame-Options, Referrer-Policy, Permissions-Policy, CSP) require explicit configuration.

Will Security Kit conflict with .htaccess headers if I have both?

Yes — both will set the same header, and behaviour depends on order. Pick one approach. If migrating from .htaccess to Security Kit, remove the htaccess Header lines before enabling the equivalent Security Kit feature.

How do I tighten the CSP for a Drupal site that uses lots of JavaScript?

Start with the policy above, deploy in report-only mode via Security Kit, collect violation reports for two weeks. Whitelist legitimate sources (your CDN, analytics domain, embed providers). Then switch to enforcing mode. Drupal core's JavaScript is mostly compatible with 'self' + 'unsafe-inline'.

How to Fix Security Headers in Drupal

Drupal sites have two clean paths for security headers: .htaccess for static headers everyone can edit, or the Security Kit (seckit) module for fine-grained, configurable headers with CSP report-uri support. This guide covers every fix our Security Audit raises on Drupal: HTTP security headers via either path, modern TLS at the server level, and publishing security.txt. Tested against Drupal 10.3. For WordPress, see the WordPress variant; for the full finding catalogue, see Security Audit Fixes.

1. Choose your approach

.htaccess is simpler and faster. Security Kit is more powerful (CSP reporting, dynamic policies, per-content-type rules). For most sites, start with .htaccess. Move to Security Kit if you need CSP report-uri to identify policy violations.

2. Option A: .htaccess

Drupal's default .htaccess in the docroot already has security comments — extend it.

Step 1

Open .htaccess

Drupal docroot contains .htaccess. Open it with your preferred editor.

Step 2

Add the six directives

Find the existing <IfModule mod_headers.c> block (Drupal ships with X-Content-Type-Options already). Add the others:

<IfModule mod_headers.c>
  Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
  Header always set X-Frame-Options "SAMEORIGIN"
  Header always set X-Content-Type-Options "nosniff"
  Header always set Referrer-Policy "strict-origin-when-cross-origin"
  Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()"
  Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; frame-ancestors 'self'"
</IfModule>

3. Option B: Security Kit module

For sites with complex content (third-party embeds, CDN-hosted assets, frequent script changes), Security Kit gives you a Drupal admin UI plus CSP report-uri support.

Step 1

Install Security Kit

composer require drupal/seckit
drush en seckit -y

Step 2

Configure headers

Configuration → System → Security Kit (/admin/config/system/seckit). Each tab (CSRF, XSS, SSL/TLS, Various) maps to specific headers. Configure each section, save.

Step 3

Enable CSP reporting

XSS tab → enable Content Security Policy. Start with Report-only mode and a Report URI (your own logging endpoint or a service like Sentry/Report URI). Collect violations for a week. Then switch to enforcing mode.

💡 Security Kit's CSP report-only mode is the easiest way to roll out a strict CSP without breaking the site. Run for 7-14 days, fix violations, then enforce.

4. Verify and re-audit

Step 1

Curl test

curl -sI https://yourdomain.com/ | grep -iE "strict-transport|x-frame|x-content|referrer|permissions|content-security"

All six should appear. Re-run the Security Audit for full verification.

🛡 Re-run the audit

Verify every header, TLS protocol and security.txt with a fresh scan.

Run Security Audit →