Drupal is a registered trademark of Dries Buytaert
cva Module cva crossed 1,000 active installs. ai_dashboard Module ai_dashboard crossed 1,000 active installs.
← All modules

firewall

Security covered
View on drupal.org

The Firewall module allows you to control inbound access based on rules with host, paths, methods, and parameter combination. It's a kind of self controlled "Web application firewall".

WARNING: This module is on early stage of development and there might be API changes etc. So the code can and should only be downloaded for testing by coders. When some review and bugfixing is done there will be a dev release.

Features

The first idea behind this module is restrict access to a full featured Drupal via different hosts for example in this way:

  • "admin.example.com" can be added to bypass list and should be secured by server controlled authentication or e.g. shield module if not available.
  • "editor.example.com" can also be protected by server. But there you can also add firewall rules to deny access to "/admin" paths and redirect zo admin.example.com.
  • "public.example.com" can get a firewall rule to allow all GET requests. But you can limit PUSH requests to single paths like /form/contact and allow only a list of parameters that are allowed to send.
    With the possibility to bypass via client IP you can allow access to special API paths and block them in "public.example.com".

Post-Installation

The configuration is only possible via settings.php to keep it very lightweight because of the Middleware situation. Keep sure that all host you would give access are not protected via core trusted_hosts setting.

Example config can be found on README.md

Activity

Total releases
1
First release
Apr 2025
Latest release
10 months ago
Release cadence
Stability
0% stable

Releases

Version Type Release date
1.0.x-dev Dev Apr 10, 2025