This project is not covered by Drupal’s security advisory policy.
Sites shield adds an HTTP Basic-Auth gate to individual sites managed by the
Sites module. Each site defines
its own username and password; visitors must authenticate before any page — including
403 and 404 responses — is served. It is the per-site equivalent of the
Shield module, ideal for hiding
staging or pre-launch sites from search engines and casual visitors.
Features
- Per-site username and password, configured right on the site edit form
- Protects every response, including error pages, by running before routing
- Passwords stored hashed via Drupal's password service
- Basic-auth requests excluded from the page cache, so protected pages never leak
- "Skip sites_shield auth" permission to let trusted roles through
- Accepts the standard Authorization header, PHP_AUTH_USER/PW, or a custom sites-shield header
Requirements
Drupal 11.2+ and the Sites module.
Getting started
Edit any site provided by Sites, open the Sites shield section, and set
a user and password. Leave the user empty to disable the shield for that site.
Supporting organizations:
Project information
- Project categories: Access control, Security, Site structure
- Ecosystem: Sites
- Created by hydra on , updated
This project is not covered by the security advisory policy.
Use at your own risk! It may have publicly disclosed vulnerabilities.
Releases
1.0.0-alpha1
released 23 June 2026
Works with Drupal: ^10 || ^11
Install:
Development version: 1.x-dev updated 23 Jun 2026 at 20:32 UTC
