Drupal is a registered trademark of Dries Buytaert
Protected Pages 3.0.0 Major update available for module protected_pages (3.0.0). Commerce Core 3.3.8 Minor update available for module commerce (3.3.8). Search API HTML Element Filter 1.0.7 Minor update available for module search_api_html_element_filter (1.0.7). Layout Builder Reorder 2.0.1 Minor update available for module layout_builder_reorder (2.0.1). Ban 1.1.0 Minor update available for module ban (1.1.0). Field Formatter Range 2.0.0 Major update available for module field_formatter_range (2.0.0). Field Formatter Range 8.x-1.8 Minor update available for module field_formatter_range (8.x-1.8). Varbase Media Header 9.2.1 Minor update available for module varbase_media_header (9.2.1). Search API Solr 4.3.11 Module search_api_solr updated after 14 months of inactivity (4.3.11). Content Translation Redirect Module content_translation_redirect crossed 1,000 active installs.

Challenge mitigation

27 sites Security covered
View on drupal.org

This module helps protect your Drupal site from automated abuse by presenting visitors with a simple challenge or JavaScript check. Once a visitor passes, their IP is temporarily whitelisted, allowing them to access protected parts of the site without further interruption. It offers several challenge modes and can be configured to protect specific pages or the entire site.

A lightweight IP whitelisting and challenge module for Drupal 10+
Prevent automated abuse while maintaining a smooth UX for real visitors.

Disclaimer: This module is not a WAF

This module is not intended to replace a Web Application Firewall (WAF). A dedicated WAF remains the most robust and efficient solution for mitigating complex threats and high-volume attacks. However, WAFs often involve significant infrastructure or licensing costs, making them inaccessible for some environments.

This module aims to offer a lightweight mitigation layer at the Drupal level — as a pragmatic compromise. While not as fast or powerful as a WAF, it provides reasonable protection for scenarios where a full WAF is not an option.

What It Does

This module enforces a one-time challenge or JavaScript-based check when users visit specific parts of your Drupal site. Once passed, their IP is whitelisted for a configurable duration.

This is ideal for:

  • Limiting access to exposed endpoints (e.g. `/user`, `/search`, `/contact`)
  • Reducing spam and automated attacks
  • Soft gating traffic without forcing login or rate limits

Features

  • IP whitelist based on successful challenge
  • Configurable list of target URLs (with support for wildcards and query strings)
  • Optional full-site protection mode
  • Three challenge modes:
    • Automatic JS
    • Hard
    • Adaptive Hard
  • Cron-based cleanup of expired IPs
  • Admin UI for settings and whitelist management
  • CAPTCHA module integration (optional)
  • Manual IP Whitelist (IPv4 / IPv6 / CIDR support)
  • Manual User-Agents Whitelist

Challenge Modes

  • Automatic JS
    • Invisible JS-based form auto-submission. No user interaction required.
  • Hard
    • User must manually submit a form. CAPTCHA is required if integration enabled.
  • Adaptive Hard
    • Automatically use Hard Challenge for suspicious User-Agents; otherwise use Automatic JS.

Configuration

  1. Go to:
    • `Admin > Configuration > Security > Challenge Mitigation`
  2. Configure:
    • Enable/disable the system
    • Define challenge URLs (one per line, support for ``, wildcards, and query matching)
    • Choose enforcement mode (`automatic_js` or `hard`)
    • Enable CAPTCHA integration (optional)
    • Set whitelist duration (in minutes)
  3. View/manage whitelist entries at:
    • `Admin > Configuration > Security > Challenge Mitigation > Whitelist IPs`

URL Pattern Matching

Patterns are matched against the full request URI, including query parameters.

Examples:

/user
/search?*
/news?*f%5B0%5D=*
/node/*?preview=*

Use `*` as a wildcard. You may include query strings as needed.

Automatic Cleanup

The module uses `hook_cron()` to delete expired whitelist entries.
You can also trigger it manually with:

drush cron

Manual IP Whitelist (IPv4 / IPv6 / CIDR support)

You can define a list of IP addresses or IP ranges that should always bypass the challenge mechanism, regardless of visited paths or access mode.

Simply enter one IP per line in the "Manually whitelisted IPs" field in the module configuration form.

Supported formats include:

  • Individual IPv4 addresses: 192.168.0.1
  • Individual IPv6 addresses: 2001:db8::1
  • CIDR notation (subnets): 10.0.0.0/8, 192.168.0.0/24, 2a01:e0a::/32

Whitelisted User-Agents (Advanced)

In addition to IP whitelisting, the module supports User-Agent-based whitelisting. This is useful for allowing specific bots or services (such as monitoring tools or CDN health checks) to bypass the challenge mechanism.

The manual_user_agent_whitelist configuration field accepts one regular expression per line. Each expression is evaluated against the User-Agent header of incoming requests. If a match is found, the challenge is skipped.

CAPTCHA Integration (Optional)

If the [CAPTCHA module](https://www.drupal.org/project/captcha) is enabled, you may activate it in Hard mode by checking the "Use CAPTCHA module integration" option.

Authenticated User Skip

The module provides an option to skip the challenge for authenticated users.
When enabled, only anonymous (non-logged-in) visitors will be prompted to complete the security challenge.
This setting is useful for sites where logged-in users are trusted and should not experience additional friction while navigating protected pages.

You can enable this option in the module configuration under "Skip authenticated users".

Signed Cookie Bypass

After successfully completing the challenge, users can optionally receive a signed cookie that allows them to bypass future challenges from the same browser.
The cookie contains a securely signed timestamp to prevent tampering.
On subsequent visits, if the cookie is present and valid, the module will automatically skip the challenge for that user, providing a smoother user experience.

You can enable this feature in the module settings under "Enable cookie-based challenge bypass" and configure the lifetime of the cookie according to your needs.

Installation

composer require drupal/challenge_mitigation
drush en challenge_mitigation

Maintainers

Originally developed by Sébastien Libbrecht

This implementation is sponsored by the GAYA web agency.

Feedback and contributions welcome!

Activity

Total releases
6
First release
Apr 2025
Latest release
1 year ago
Releases (12 mo)
0 ▼ from 6
Maintenance
Dormant

Release Timeline

Releases

Version Type Release date
1.0.0 Stable May 5, 2025
1.0.0-alpha5 Pre-release Apr 27, 2025
1.0.0-alpha4 Pre-release Apr 27, 2025
1.0.0-alpha3 Pre-release Apr 26, 2025
1.0.0-alpha2 Pre-release Apr 26, 2025
1.0.0-alpha1 Pre-release Apr 24, 2025