These security headers can be added to Drupal website to improve pages security rating. Tested on Pantheon.
A generic example, adjust per site requirements:
// Prevent browsers from sniffing a response and picking a MIME type
// different from the declared content-type, since that can lead to
// XSS and other vulnerabilities.
// Upgrade HTTP requests to secure HTTPS
// Report all insecure requests, but do not refuse
header("Content-Security-Policy-Report-Only: img-src https:; script-src https: 'unsafe-inline'; style-src https: 'unsafe-inline';");
// X-XSS-Protection controls IE8/Safari/Chrome internal XSS filter.
header('X-XSS-Protection: 1; mode=block;');
If a site's DNS is on Cloudflare, it is already filtering bad bots. To ban IP and User Agent, under Firewall > Firewall Rules
- Add "Known Bots" equals On > Allow, to avoid accidentally block good bots if using any of the following
- To ban by IP, add "IP Address" to bank
- To ban by User Agent, add "User Agent" firewall rule
- To ban by Country, add "Country" firewall rule
Pantheon/Acquia using settings.php