Multisite Status Report

Multisite Status Report securely exposes a Drupal site's status report, available updates and security information as JSON, so an external monitor can track the health of the site. Every request is signed with HMAC using only Drupal core — the shared secret is never transmitted, even if the URL is intercepted.

Features

The module turns the data you already see on Reports → Status report and Reports → Available updates into machine-readable JSON endpoints, protected by strong authentication:

• Three endpoints: a full status report, the list of enabled projects with available-update/security info, and a compact summary tailored for dashboards.
• HMAC request signing (core only): clients send a key id, timestamp, nonce and an HMAC-SHA256 signature in request headers. The secret itself never travels over the wire.
• Replay protection: a timestamp window plus a single-use nonce store reject replayed or stale requests.
• Brute-force protection: invalid attempts are throttled per IP using the core Flood API, and signatures are compared in constant time with hash_equals().
• No contrib dependencies: authentication is implemented as a native Drupal authentication provider — no OAuth, JWT, or other external modules required.
• Activation switch & site notes that travel with the data, useful for identifying environments in a fleet.
• Extensible: other modules can add their own indicators via hook_multisite_status_report_status().

Use it whenever you maintain more than one Drupal site and want a single, trustworthy way to know which sites are behind on updates or have a pending security release — without opening sensitive reports to anyone who guesses or sniffs a URL.

Post-Installation

On install the module generates a key identifier and a strong shared secret, creates a dedicated, login-blocked service account that carries the access permission, and activates the endpoints.

1. Go to Administration → Configuration → Development → Multisite Status Report (/admin/config/development/multisite-status-report).
2. Copy the key identifier and generate/copy the shared secret (the secret is shown only once). Provide both to your monitoring client.
3. Optionally add site notes and toggle activation on or off without uninstalling.

Clients must sign each request with the headers X-MSR-Key, X-MSR-Timestamp, X-MSR-Nonce and X-MSR-Signature, where the signature is HMAC-SHA256 over the canonical string METHOD\nPATH\nTIMESTAMP\nNONCE\nSHA256(body). The endpoints are /multisite-status-report/status-report, /multisite-status-report/modules-updates and /multisite-status-report/summary.

Always serve the endpoints over HTTPS: HMAC protects the secret, but the responses still contain sensitive site information. For production, consider overriding the secret in settings.php and excluding it from configuration exports.

Additional Requirements

Drupal core's Update Manager module (drupal:update) only. No third-party libraries or external authentication modules are needed.

Recommended modules/libraries

• Multisite Status Dashboard — the companion module that aggregates many sites running Multisite Status Report into a single dashboard.
• Config Ignore / Config Split — to keep the per-environment secret out of shared configuration.

Similar projects

Site Guardian exposes similar data but authenticates with a secret passed as a URL query parameter. Multisite Status Report differs by signing requests with HMAC in HTTP headers, so the secret is never present in the URL (and therefore not exposed in logs, proxies, or browser history), and by adding timestamp/nonce replay protection — all without any contributed authentication module.

Supporting this Module

If this module is useful to you, issue reports and patches are very welcome in the project's issue queue. Sponsorship links can be added here.

Community Documentation