Drupal is a registered trademark of Dries Buytaert
cms 2.1.1 Update released for Drupal core (2.1.1)! drupal 11.3.6 Update released for Drupal core (11.3.6)! drupal 10.6.6 Update released for Drupal core (10.6.6)! cms 2.1.0 Update released for Drupal core (2.1.0)! bootstrap 8.x-3.40 Minor update available for theme bootstrap (8.x-3.40). menu_link_attributes 8.x-1.7 Minor update available for module menu_link_attributes (8.x-1.7). klaro 3.0.10 Minor update available for module klaro (3.0.10). klaro 3.0.9 Minor update available for module klaro (3.0.9). layout_paragraphs 2.1.2 Minor update available for module layout_paragraphs (2.1.2). geofield_map 11.1.8 Minor update available for module geofield_map (11.1.8). editoria11y 2.2.22 Minor update available for module editoria11y (2.2.22). ai 1.2.13 Minor update available for module ai (1.2.13). ai 1.3.2 Minor update available for module ai (1.3.2). moderated_content_bulk_publish 2.0.51 Minor update available for module moderated_content_bulk_publish (2.0.51). moderated_content_bulk_publish 2.0.50 Minor update available for module moderated_content_bulk_publish (2.0.50). editoria11y 2.2.21 Minor update available for module editoria11y (2.2.21). eca 3.1.0 Minor update available for module eca (3.1.0). sophron 3.1.1 Minor update available for module sophron (3.1.1). ai 1.3.1 Minor update available for module ai (1.3.1). seven 2.0.0-beta6 New beta version released for theme seven (2.0.0-beta6).
← All modules

waf_helper

No security coverage
View on drupal.org

WAF Helper sets a secure, HMAC-based cookie for authorized users so that ModSecurity (or any other WAF) can selectively relax rules on endpoints that trigger false positives — such as admin forms, layout builders, or content-editing routes — without weakening protection for the rest of the site.

The problem

Web Application Firewalls like ModSecurity with the OWASP Core Rule Set are essential for production sites, but their strict rules often flag legitimate Drupal admin actions (rich-text editing, layout building, REST API calls) as attacks. The common workaround — blanket rule exclusions — leaves the entire application exposed.

What this module does

  1. Issues a per-user HMAC cookie (HMAC-SHA256 of the user's UUID + a configurable salt, keyed with Drupal's private key) to users who hold the "Bypass ModSecurity WAF" permission.
  2. Validates the cookie on every request using a timing-safe comparison and automatically removes invalid or tampered cookies.
  3. Lets your WAF rules inspect the cookie to selectively lower the paranoia level or disable specific rules only for trusted sessions on targeted paths.

The module itself does not modify any WAF rules — it provides the trusted signal your WAF configuration can act on.

Features

  • Configurable cookie name, salt, and lifetime.
  • Secure defaults: HttpOnly, Secure, SameSite=Strict.
  • Extensible via hook_waf_helper_cookie_value_alter().

Requirements

  • Drupal 10 or 11
  • A WAF (e.g. ModSecurity + OWASP CRS) with the ability to inspect cookies in rule conditions

Activity

Total releases
1
First release
Apr 2026
Latest release
10 hours ago
Release cadence
Stability
0% stable

Releases

Version Type Release date
1.0.x-dev Dev Apr 13, 2026