AWAFAWAF

Drupal

Prefer .htaccess auto_prepend_file when php_value is supported. It starts AWAF before Drupal PHP files and additional endpoints.

Preferred method

On Apache with mod_php and allowed php_value, place the directive in the Drupal root .htaccess and use the absolute AWAF path.

php_value auto_prepend_file "<path_to_directory>/antibot/index.php"

Coverage

AWAF loads before index.php, update.php, cron.php, and other PHP endpoints in scope. This reduces gaps from front-controller-only integration for admin, AJAX, legacy, or service PHP files.

Fallback

For PHP-FPM, CGI, Nginx-only setups, or locked .htaccess, use .user.ini, vhost/pool config, or an early common entry point, usually index.php. This fallback is less universal than auto_prepend_file, so verify admin, AJAX, update.php, cron.php, and direct PHP endpoints.

Verify

  • Test home, node/page, taxonomy, search, and 404 pages.
  • Test /user/login, admin URLs, AJAX, JSON/API, update.php, and cron.php if web-accessible.
  • Check forms, sitemap/XML, and module integrations.
  • Add narrow whitelist_url rules for service URLs after checking RayID.