Should basic-auth work on free tier?

I have a website set up in the free tier.

I added the Basic-Auth header to my _headers file to restrict a certain section of the site. It doesn’t seem to work though, I’m not getting the login prompt in my browser.

My _headers file looks like this

  X-Frame-Options: deny
  X-XSS-Protection: 1; mode=block
  X-Content-Type-Options: nosniff
  Referrer-Policy: no-referrer
  Basic-Auth: johndoe:somepassword

The documentation about Basic-Auth states that ‘This feature may not be available on all plans.’, but the plans page does not make it clear if Basic-Auth is a paid feature or not.

Did I do something wrong here, or is Basic-Auth only available for paying customers?

See Site passwords feature on the plan features. Only available on paid plans.


I just ran into this too, and found the documentation unclear. There’s no mention of “auth” anywhere in the page; the closest that comes to it is the discussion of the Identity Add-on, which appears to be entirely unrelated.

The only place I can see it explicitly mentioned which plans do and do not include the ability to use Basic-auth is the first paragraph of the Selective Password Protection blog post.

Also, your header rules validation just quietly accepts the invalid-for-free-plans header rules as you can see in this deploy log where it says:

5 header rules processed
All header rules deployed without errors

That should generate at least a warning and possibly, because it’s a security-related change that provides access to part of the site where none is expected, an error. I would not think it unusual for someone with access to the repo for a site deployed on a paid account to try out his own deployment of it on a free account.

Hi, sorry if it’s not clear but on our pricing page we put “password protected sites” under the Pro plan:

On that same page, there’s a comparison table between our Free, Pro, and Business+ plans and password protection is only checked for Pro and Business+:

We try and keep the pricing page as the source of truth for our pricing rather than adding pricing notes all over our docs since that would require us to update our docs much more often to make sure it’s always correct.

Ok, so the issue there was that I was searching for “auth” and the phrase “password protection” doesn’t include that. Maybe in the detailed chart, changing that line to “Password Protection via HTTP authentication header” would help those of us being more technically precise with such searches?

1 Like

we’re on it @cjs - thanks for pointing this out!

We now have an additional line in the Plans table for “Basic authentication headers”.