I looked around and I couldn’t find any option to solve what we need with existing features.
The use-case is simple and for our client pretty important. We do want to be able to password-protect everything but the published site. All deploy and branch previews. I know of the option to set basic authentication through headers, but since we are talking atomic deploys, I could password protect all the previews, but then I could not restore those deploys.
Here is how we use Netlify:
We built an interface, where the client can use the API to trigger a build without it auto-publishing. Then we provide the preview link and if the changes have been successfully reviewed, the client can publish this specific deploy (restore deploy in the API).
I believe this is also the power of atomic deploys, since we can rely on a specific version of the build that one wants to publish. Yet, we want to make sure any deploy that is not published, is password protected. Even though, deploy previews are not indexed (or shouldn’t be), there is still a chance of this specific url leaking. It’s a high profile customer, that is dependent on certain press-releases to be only published at a specific time and date.
Preferably there would be a setting in Netlify (a simple checkbox/radio), that allows us to define how the already available Password Protection (Visitor access) feature is applied.
While we need only on of those, I can think of the following scenarios:
- All, but published site
- Only Preview Deploys
- Only Branch Deploys
- Specific Branches
We are running on a business plan if that helps.