Drupal is a registered trademark of Dries Buytaert
cva Module cva crossed 1,000 active installs. ai_dashboard Module ai_dashboard crossed 1,000 active installs.
← All modules

protect_views_flood_control

126 sites Security covered
View on drupal.org

Protect Views Flood Control limits how often visitors can submit Views Exposed Forms. It reduces scraping and abusive traffic by throttling submissions per view/display using Drupal’s Flood API. This module extends the Protect Form Flood Control module.

With the heavy recent increase in new AI scraping bots and their poor ability to navigate forms compared to more established scraping bots like GoogleBot, Views can come under more pressure. These AI Scraping bots often try every combination of every filter effectively attacking your site. Sites running Drupal often provide valuable content that can help LLMs provide better answers by having better training data. We should want the answers provided to end users of LLMs to be higher quality and help provide positive informed answers rather than blocking AI scraping and having LLMs then trained on poorer less informed data. We should also want our content to appear in AI overviews and be used to help LLMs provide better initial answers and encourage end users to come to our sites and read more.

Flood control features

  • Per-display throttling: Enable flood control for Views Exposed Forms per View display via a Views Display Extender—site builders choose exactly which View it applies.
  • Simple controls: Configure a time Window (seconds) and a Threshold (allowed submissions) for each display. Default settings are maximum 5 exposed form submissions per View checked over a 30 seconds period.
  • Bot-friendly signalling: Non-AJAX submissions over the limit return HTTP 429 Too Many Requests with Retry-After; AJAX submissions show a more user-friendly error on the form itself as a validation error. Note that a 429 response by a true user shows as 'Client error' page with a 429 in the developer console.
  • IP-based flood: This module uses Drupal core’s Flood system for lightweight, cache-friendly rate limiting. Modules like Ultimate Cron or Simple Cron are recommended to ensure Flood table is cleared frequently. Blocking base on IP range rather than specific IP is optional.

Maximum filters features

  • Per-display maximum filters: Set a maximum number of filters that can be used at once for Views Exposed Forms per View display via the same Views Display Extender as above. E.g. maximum of 2 filters usable at once.
  • Per-display maximum options per filter: Set a maximum options that can be used per filter (for filters that are arrays/multiple option selections). E.g. maximum of 3 options allowed per filter.

Post-Installation

  1. Enable the module as usual.
  2. Open any View, pick a display (Page, Block), and find the new 'Flood control' section
  3. (Optional*) Check Enable flood control and set your desired Window and Threshold. Save the View.
  4. (Optional*) Check Enable maximum filters control and set your desired Max filters and Max options per filter. Save the View.
  5. (Optional) Visit the companion settings page for Protect Form Flood Control to manage IP whitelists and logging of blocked attempts.

* Optional but this module does nothing if you do not pick one of these two options.

How it works: On each exposed form submit, the module builds a unique key for that View/display and consults the Flood system. If the threshold within the window is exceeded, it blocks the submit (AJAX: form error; non-AJAX: 429). The limiter only targets exposed filter submits—not initial page loads or pagination.

Additional Requirements

  • Drupal core: Views module enabled.
  • Protect Form Flood Control: Flood control logging and IP whitelist settings are controlled here.

Suggested Roadmap

  • Set up a permission to allow e.g. logged in users to bypass the protection (e.g. site editors)
  • ☑ Automated test coverage

Alternative (complementary) approaches

In addition to this module consider:

  • Ensuring your content and listings are as cacheable as possible
  • Using tools like Cloudflare to rate limit (see intro why we should not just block)
  • Using Crawler Rate Limit which is a wider reaching module, not specific to Views and requires more involved setup
  • Having bot specific blocking via htaccess
  • Using Facet Bot Blocker which provides a range of more advanced tools. It can block too many filters used at once at a global level for Facets, whereas this is per View control and also works for non-facet Exposed Form filters.
  • Or considering further approaches based on this blog post from @smustgrave

Feedback

If this module helped you do let me know e.g. in Drupal Slack (scott_euser) - trying to get a better understanding how this in combination with e.g. Cloudflare helps solve relayed issues, even if anicdotel.

Activity

Total releases
5
First release
Aug 2025
Latest release
2 weeks ago
Release cadence
44 days
Stability
60% stable

Release Timeline

Releases

Version Type Release date
1.0.2 Stable Feb 12, 2026
1.0.1 Stable Feb 4, 2026
1.0.0 Stable Sep 10, 2025
1.0.0-alpha1 Pre-release Aug 20, 2025
1.0.x-dev Dev Aug 20, 2025