Extended One-Click Blocking Rules
Click a button to block traffic from common malicious sources including Tor, VPNs, Anonymizers, and low-reputation data centres.
Security is the floor. Not an upgrade.
Every Ironstar subscription is protected by a minimum set of enterprise security controls. We include origin cloaking, web application firewalls, endpoint protection, active malware and virus protection, virtual 0-day Drupal patches (Drupal Steward), and much, much more at no additional cost. We believe that every Drupal site must have these protections, so we don't hide them as costly add-ons.
Certified since 2023
The only managed Drupal hosting provider in Australia's HCF program.
The Hosting Certification Framework is the Australian Government's mandatory bar for any provider holding government data. It is administered by the Department of Home Affairs and supports the Protective Security Policy Framework and the Information Security Manual.
Crucially, HCF goes beyond what ISO 27001 or SOC 2 examine. It assesses ownership structure, sovereignty, supply chain and operational control — the things government cares about when its data is at stake.
What the Hosting Certification Framework audits
Ownership and control
Who ultimately owns and controls Ironstar? Includes a review of beneficial ownership, board composition, and reach-back jurisdictions.
Data sovereignty
Where data physically resides at every step: primary, replicas, backups, logs, monitoring telemetry. Data must remain in Australia with no asymmetric routing.
Supply chain
Every sub-processor, software vendor and infrastructure partner is examined for ownership, jurisdiction and operational dependencies. Hidden offshore dependencies are not accepted.
Operational controls
Personnel screening, security incident response, change management, and contractual penalties payable if the provider materially changes ownership or operations.
Why so few providers are in the program.
Certification takes a typical assessment of three to six months on top of months of preparation, requires a Deed of Certification with the Commonwealth, and binds the provider to ongoing disclosure of any change that might affect Government risk posture. Most managed-hosting providers — especially those serving niche stacks like Drupal — never start the process
Ironstar entered HCF in 2023 and has maintained certification continuously since. The audit and the obligations have shaped how we run the platform — they aren't a logo on a slide.
Ironstar in HCF
2023
Year of initial certification
Only one
Drupal managed-hosting provider in the HCF program
Annual declarations submitted on time. No relevant adverse changes reported. Ownership and control structure unchanged.
HCF is administered by the Australian Department of Home Affairs and supports the Protective Security Policy Framework and the Information Security Manual. Government customers can verify Ironstar's certification status through the official HCF register.
Six layers. Every site. Every plan.
We take a defense-in-depth approach to security for every customer, providing a minimum set of controls that ensure all of our customers have the most robust out-of-the-box security posture of any Drupal hosting platform.
01
Edge
DDoS Network Protection · Malicious Network Blocks · Geo-fencing
02
Application firewall
OWASP Core Rule Set WAF · XSS and SQL Injection Controls · Rate Limiting
03
Bot management
JA4 fingerprinting · Credential-stuffing defence · Form-spam mitigation
04
Drupal Steward
Pre-emptive WAF rules from the Drupal Security Team · Mitigates critical core CVEs before announcement
05
Runtime
EDR on every container · Immutable read-only environments · Per-tenant network segmentation
06
Data
Encryption at rest and in transit · Per-tenant isolation · Out-of-band backups with offsite storage
Web Application Firewalls should not be optional
Launching a Drupal site without a WAF is like driving a car without airbags. It simply shouldn't be allowed and yet only Ironstar makes a fully-capable WAF a default part of every subscription at no added cost.
Always On
Every subscription is covered by a built-in set of Web Application Firewall rules which reject traffic based on known malicious patterns.
In addition, all Drupal sites are protected by Drupal Steward. When the Drupal Security Team identifies a highly-critical core vulnerability, embargoed WAF rules are issued to Steward partners before public disclosure. We deploy them across every Ironstar
Bad Networks
Automatically Blocked
Networks known to host malicious bots and attackers are always prevented from reaching your site.
DDoS Protection
Built-in Layer 3/4 Network Protection
Distributed Denial of Service attacks are automatically detected and prevented from wasting server capacity.
Malicious Requests
XSS, SQL Injection, Backdoor, Attack Tooling
Individual malicious requests mattering known patterns are automatically rejected, and offending networks blocked.
Extended WAF Capabilities
Customers requiring additional coverage can upgrade their WAF protection to add sophisticated bot management and other application protection, in addition to the built-in coverage.
Layer-7 DDoS Protection
Extend DDoS protection for your site to include Application-layer (Layer 7) attacks.
Client Challenges
Suspicious browsers can be given a small computational challenge to filter bots from accessing uncached content. Highly effective at minimising abusive traffic without annoying CAPTCHAs.
Challenge Suspicious Users
Some bots try to make themselves look like humans to bypass restrictions. Our WAF detects these imposters and you can choose to challenge them to verify they're human.
Manage AI Bots
Block AI bots and crawlers from viewing your site, or force them to only access approved paths such as light-weight markdown files.
Geo-Fencing
Define a list of countries that are allowed to access your site, and block traffic from anywhere else. Optionally let in legitimate bots like Google, Bing, and others.
Block at the WAF or at the Edge
Choose to block bad traffic completely from your site, or allow it to only access cached content and block it from accessing your web server. Useful for striking a balance between discoverability and protecting your servers.
Advanced Rate Limiting Rules
Prevent against credential-stuffing attacks, form spam, view hammering, password reset floods, search abuse, and much more with one-click rate limiting rules with optional clients challenges.
Don't pay for traffic you don't want
Over 60% of all web traffic today is automated — scrapers, credential testers, exploit scanners, AI training crawlers, and bots harvesting your content. You are paying to serve those bots whether you want them to harvest your dat or not.
Ironstar gives you substantial control to block or challenge bots, and we don't charge you for traffic you reject.
Ironstar customers pay only for accepted requests.
Typical web traffic mix
Security
Credential stuffing, exploit scanners, scrapers blocked at the edge.
Performance
Origin compute saved on requests visitors never made.
Geo-fencing
Restrict access to specified countries — only human eyes from your target markets, plus trusted search bots from anywhere, can reach the site.
ASN and IP reputation
Block traffic from known scraping farms, residential-proxy networks, and abusive cloud ranges. Updated continuously.
Behavioural heuristics
Detects automation by request patterns — JA4 fingerprints, header anomalies, cadence and click-stream signals.
Trusted-bot allow-list
Verified Google, Bing, Meta, and other reputable crawlers are allowed regardless of country — verified, not just user-agent claimed.
Get in touch
Talk to our security team — not a sales rep. We'll answer your questionnaire, join your procurement call, or provide platform documentation under NDA.