// Prevent browsers from sniffing a response and picking a MIME type
// different from the declared content-type, since that can lead to
// XSS and other vulnerabilities.
// Upgrade HTTP requests to secure HTTPS
// Report all insecure requests, but do not refuse
header("Content-Security-Policy-Report-Only: img-src https:; script-src https: 'unsafe-inline'; style-src https: 'unsafe-inline';");
// X-XSS-Protection controls IE8/Safari/Chrome internal XSS filter.
header('X-XSS-Protection: 1; mode=block;');
Drupal is constantly being updated to fix vulnerabilities. Staying updated with the latest version of Drupal helps prevent websites from being targeted. You can stay in the know by regularly monitoring Drupal’s Security Advisories. In addition, there are several security-related contributed modules that can help. Other best practices include code review or getting a Drupal security audit from a 3rd party.