Drupal is a registered trademark of Dries Buytaert
cva Module cva crossed 1,000 active installs. ai_dashboard Module ai_dashboard crossed 1,000 active installs.
← All modules

botbuster

No security coverage
View on drupal.org

BotBuster protects your Drupal site from automated bot traffic and DDoS attacks on specific paths. It uses a lightweight JavaScript browser challenge to verify that visitors are real humans using real browsers, without CAPTCHAs or third-party services.

When a request hits a protected path (such as a search page or faceted navigation), BotBuster checks for a valid browser token stored in a cookie. If no valid token exists, the visitor sees a brief "Browser Verification" challenge page. The page runs a small JavaScript snippet that generates a browser fingerprint, sets a cookie, and redirects the user back to their original URL -- all within a few seconds. Bots and automated scripts that don't execute JavaScript are blocked. No user interaction is required.

Features

Path-based protection with wildcard support: Protect specific paths like /search, /catalog/*, or any URL containing facet. Enter one pattern per line with * wildcard support.
JavaScript browser challenge: Visitors without a valid token are served a lightweight challenge page that generates a browser fingerprint token via JavaScript. No CAPTCHA, no third-party dependency.
Configurable token lifetime: Tokens can be valid from 1 hour to 7 days. Once verified, users browse freely until the token expires.
Customizable challenge page: Configure the page title, heading, description, loading text, and error messages through the admin UI.
HTTP middleware implementation: Runs as a high-priority Symfony HTTP middleware (priority 300), intercepting requests before Drupal's routing layer for minimal performance impact.
Security headers: Challenge responses include Content-Security-Policy, X-Frame-Options, and X-Content-Type-Options headers.
Automatic challenge file regeneration:The challenge HTML file is regenerated on cache clear and when saving configuration.
No external dependencies: Everything runs on your server. No API calls, no third-party JavaScript, no data leaves your site.

Typical use cases:

  • Protecting faceted search pages from bot-driven DDoS attacks
  • Shielding high-traffic catalog or product listing pages
  • Blocking automated scraping of search results
  • Reducing server load from bot traffic on specific URL patterns

Post-Installation

On installation, a default challenge page is automatically generated with sensible defaults.

Navigate to Administration > Configuration > System > BotBuster (/admin/config/system/botbuster) to configure the module.

In the DDoS Protection fieldset: Enable or disable protection.

Enter the paths you want to protect (one per line, wildcards supported).

Choose a token lifetime.

In the Challenge Page fieldset, customize the text shown to visitors during verification.

Click Save configuration. The challenge HTML file and protected paths JSON file are generated automatically.

Important: This module requires a configured private file system in Drupal. The challenge HTML and protected paths JSON are stored in private://botbuster/. If you haven't configured a private file path, add the following to your settings.php:

$settings['file_private_path'] = '/path/to/private/files';

Additional Requirements

Drupal core 9, 10, or 11 - No additional contributed modules are required.
Private file system - A configured private file directory ($settings['file_private_path']) is required for storing the generated challenge page and protected paths configuration.
JavaScript-capable browsers - End users must have JavaScript enabled for the browser verification to succeed. Visitors with JavaScript disabled will not pass the challenge.

Recommended modules/libraries

Flood Control Provides a UI for Drupal's built-in flood protection. Pairs well with BotBuster for layered defense.

Security Kit (SecKit) Adds additional HTTP security headers and XSS/CSRF protections that complement BotBuster's path-level protection.

Similar projects

Antibot Protects Drupal forms from spam submissions using JavaScript-based detection. Antibot focuses on form protection, while BotBuster protects arbitrary URL paths at the middleware level before Drupal's routing kicks in.

reCAPTCHA Require user interaction to prove they are human. BotBuster's challenge is fully automatic and invisible to the user - no puzzles, no clicking checkboxes, and no third-party service dependency.

Honeypot Adds hidden form fields and time-based validation to catch bots on forms. Like Antibot, it targets form submissions rather than page-level access.

BotBuster is unique in that it operates as HTTP middleware protecting specific URL patterns (not just forms), requires zero user interaction, and has no external service dependencies.

Supporting this Module

If you find BotBuster useful, consider:

Reporting bugs and feature requests in the issue queue
Submitting patches or merge requests
Writing documentation or tutorials

Community Documentation

Documentation contributions are welcome. If you create a tutorial, walkthrough, or blog post about BotBuster, please open an issue so we can link to it here.

Activity

Total releases
1
First release
Feb 2026
Latest release
1 week ago
Release cadence
Stability
0% stable

Releases

Version Type Release date
1.0.0-alpha1 Pre-release Feb 24, 2026