Drupal is a registered trademark of Dries Buytaert
drupal 11.3.7 Update released for Drupal core (11.3.7)! drupal 11.2.11 Update released for Drupal core (11.2.11)! drupal 10.6.7 Update released for Drupal core (10.6.7)! drupal 10.5.9 Update released for Drupal core (10.5.9)! cms 2.1.1 Update released for Drupal core (2.1.1)! drupal 11.3.6 Update released for Drupal core (11.3.6)! drupal 10.6.6 Update released for Drupal core (10.6.6)! cms 2.1.0 Update released for Drupal core (2.1.0)! bootstrap 8.x-3.40 Minor update available for theme bootstrap (8.x-3.40). menu_link_attributes 8.x-1.7 Minor update available for module menu_link_attributes (8.x-1.7). eca 3.1.1 Minor update available for module eca (3.1.1). layout_paragraphs 2.1.3 Minor update available for module layout_paragraphs (2.1.3). ai 1.3.3 Minor update available for module ai (1.3.3). ai 1.2.14 Minor update available for module ai (1.2.14). node_revision_delete 2.0.3 Minor update available for module node_revision_delete (2.0.3). moderated_content_bulk_publish 2.0.52 Minor update available for module moderated_content_bulk_publish (2.0.52). klaro 3.0.10 Minor update available for module klaro (3.0.10). klaro 3.0.9 Minor update available for module klaro (3.0.9). layout_paragraphs 2.1.2 Minor update available for module layout_paragraphs (2.1.2). geofield_map 11.1.8 Minor update available for module geofield_map (11.1.8).
← All modules

firewall

Security covered
View on drupal.org

The Firewall module allows you to control inbound access based on rules with host, paths, methods, and parameter combination. It's a kind of self controlled "Web application firewall".

WARNING: This module is on early stage of development and there might be API changes etc. So the code can and should only be downloaded for testing by coders. When some review and bugfixing is done there will be a dev release.

Features

The first idea behind this module is restrict access to a full featured Drupal via different hosts for example in this way:

  • "admin.example.com" can be added to bypass list and should be secured by server controlled authentication or e.g. shield module if not available.
  • "editor.example.com" can also be protected by server. But there you can also add firewall rules to deny access to "/admin" paths and redirect zo admin.example.com.
  • "public.example.com" can get a firewall rule to allow all GET requests. But you can limit PUSH requests to single paths like /form/contact and allow only a list of parameters that are allowed to send.
    With the possibility to bypass via client IP you can allow access to special API paths and block them in "public.example.com".

Post-Installation

The configuration is only possible via settings.php to keep it very lightweight because of the Middleware situation. Keep sure that all host you would give access are not protected via core trusted_hosts setting.

Example config can be found on README.md

Activity

Total releases
1
First release
Apr 2025
Latest release
1 year ago
Release cadence
Stability
0% stable

Releases

Version Type Release date
1.0.x-dev Dev Apr 10, 2025