Is Site Protection with Next.js ISR possible?

Netlify Support,

We have a Next.js site deployed to Netlify and our client would like to enable security on the staging and dev sites. The site contains product detail pages driven by a CMS and we have used ISR since there are over 10,000 products/pages. We would like to use Site Protection and avoid the need for site development to enable authentication. However, after turning on Site Protection the ISR pages no longer work. Is there any way to enable Site Protection and transition ISR to the origin since Edge Functions are disabled?

The site in question can be accessed here with the password of “password”:

Hiya @metriedevs !

Please be aware that as enterprise customers you are entitled to 1:1, personal and private tech support via email, that will come with a 4 hour response time within your business hours, which is not something we can promise in the forums. If you want that, let us know and we can escalate this case into the helpdesk for you. For future reference, any account member can email from their login email address to open the support case, optionally cc’ing any colleagues they’d like to include in the conversation - and those colleagues need not have Netlify logins on your enterprise team - only the person who opens the case needs that :slight_smile:

Just to be sure we’re looking in the same direction, is this the result you are receiving as well?

While debugging that 404, I don’t believe that that route uses ISR. I see that it uses SSR instead, so the logs for me loading that page showing what causes your lambda to return a 404 are here: Netlify App

I can see some reasonable-looking error messages in the logs when loading that page, that I suspect you’ll be equipped to parse and address around failed mapping into your product hierarchy :slight_smile:

But I anyway do not think this is caused by the password protection based on those lambda messages. Could you take a look and let me know what you think? Or, if you think that it is still the password protection screwing things up and that the 404 page is normal, perhaps you can advise if it is ok for me to deactivate the password temporarily to see the with/without versions to troubleshoot side by side?

@fool Thanks so much for the quick response. I also appreciate the advice on reaching out to support directly. I’ll let the rest of our team know that we can take that route next time.

Regarding the ISR/404 issue, I apologize but we had done a deploy trying Distributed persistent rendering to see if that corrected the issue. We reverted back and these are the headers we saw prior to turning on site protection:

% curl -I ""
HTTP/2 200 
age: 209
cache-control: public, max-age=0, must-revalidate
content-type: text/html; charset=utf-8
date: Tue, 07 Feb 2023 20:19:28 GMT
etag: "1501sforb383j3x-df"
server: Netlify
strict-transport-security: max-age=31536000; includeSubDomains; preload
vary: Accept-Encoding
x-middleware-next: 1
x-nextjs-cache: REVALIDATED
x-nf-render-mode: odb ttl=43200
x-nf-request-id: 01GRPRQC5KMP3C834XT2X3QXWT
x-powered-by: Next.js

The “odb” designation should signify that this is ISR instead of SSR, correct? After turning on site protection that page works (since it has been cached) but others produce 404s. When I look in the ___netlify-handler logs I do see some SSR entries for the APIs we have.

From what we’ve read, Site Protection disables Edge Functions and ISR needs Edge Functions. Are we not understanding that correctly?

Yes, you are free to disable the password protection to look at further.

Hi @metriedevs :wave:t6: ,

Thanks so much for sharing this information. I escalated this to our helpdesk. They will follow up via email to any outstanding questions/queries. Stay tuned.