Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.This project is not covered by Drupal’s security advisory policy.
Haubergeon provides some defense in depth by several mechanisms:
- Enforce IP-restriction on the use of certain roles (thus guarding against elevation by gaining a role or taking over a user account)
- Forbid access to non-whitelisted paths
- Forbid access to blacklisted paths
The module doesn't modify access callbacks or calls to user_access, but listens early in the request and terminates if certain conditions are met.
Vulnerabilities that occur pre-hook_boot execution and, depending on the haubergeon_drupal_error setting, those in full bootstrap or drupal_not_found() can still be exploited. In the latter case Haubergeon does its best to neuter $_POST/$_GET/$_REQUEST.
See README.txt for configuration options.
Warning
CAUTION: Enabling Haubergeon without providing configuration in settings.php will result in an inaccessible site.
To Do
Important features that are in development:
- Support for traffic from "trusted" proxies on the exemption & rolebinding lists.
- Support/Investigate IP exemptions & Varnish
Project information
- Created by heine on , updated
This project is not covered by the security advisory policy.
Use at your own risk! It may have publicly disclosed vulnerabilities.
