Security Headers

These security headers can be added to Drupal website to improve pages security rating. Tested on Pantheon.

A generic example, adjust per site requirements:

// Prevent browsers from sniffing a response and picking a MIME type
// different from the declared content-type, since that can lead to
// XSS and other vulnerabilities.
header('X-Content-Type-Options: nosniff;');

// Upgrade HTTP requests to secure HTTPS
header('Content-Security-Policy: upgrade-insecure-requests;');

// Report all insecure requests, but do not refuse
header("Content-Security-Policy-Report-Only: img-src https:; script-src https: 'unsafe-inline'; style-src https: 'unsafe-inline';");

// X-XSS-Protection controls IE8/Safari/Chrome internal XSS filter.
header('X-XSS-Protection: 1; mode=block;');

// Referrer-Policy
header('Referrer-Policy: no-referrer-when-downgrade;');

// Permissions-Policy
header('Permissions-Policy: no-referrer-when-downgrade;');

Need expert help with Drupal?

Ban Bad Bots/IPs/User Agent/Country


If a site's DNS is on Cloudflare, it is already filtering bad bots. To ban IP and User Agent, under Firewall > Firewall Rules

  • Add "Known Bots" equals On > Allow, to avoid accidentally block good bots if using any of the following
  • To ban by IP, add "IP Address" to bank
  • To ban by User Agent, add "User Agent" firewall rule
  • To ban by Country, add "Country" firewall rule

Pantheon/Acquia using settings.php

Refer to

Blog Categories



O8 is a web and digital marketing consultancy based in Minneapolis, MN offering expert-level UX Design, CRO, and strategic consulting, as well as highly-technical capabilities in Drupal, WordPress, and HubSpot

We work differently from traditional agencies in that we extend your team with ours.