Last reviewed by Netlify Support: April 2024
You’ve got an awesome Netlify site. Maybe you’re pre-launch, or maybe you’re working on a new beta version in a branch. Maybe it’s a site intended only for a limited audience, such as your co-workers. Regardless, you want to limit access. This article is a guide to what facilities are available and how you might use them.
The options are:
- the Identity service (all plans)
- basic authentication headers (Pro plan or higher only)
- site basic password (Pro plan or higher only)
- site team login (Pro plan or higher only)
Identity
Our most flexible and performant protection is our Identity service. This is very flexible, featuring:
- different access levels (think: paid customer can access premium content; content editor can access CMS; admins can access all areas)
- authentication at the CDN edge - this is very performant for serving protected content to authenticated users.
- has an API to configure and manage users
- has an invitation/account creation interface that can be exposed directly to your users.
It takes more thought and a bit of effort to set up (start with this great step-by-step blog post), and depending on your use case may require an additional cost atop your Netlify plan. However, it can also be used entirely for free for a smaller user base, which neither of the below can as they both require a Pro or higher plan. This can also be integrated (with some effort) with our SSO login feature. If you’re curious about this, check out a video presenting an example of such a configuration.
basic authentication headers
Simpler but still somewhat flexible is configuring Basic Authentication with custom HTTP headers via our custom headers facility. This method is flexible in that you can configure multiple username/password pairs (and change some or all of them with a new deploy), and you can also scope this protection to specific paths or assets - put a password on accessing the spreadsheet but not the webpage linking to it, or serve an unauthenticated landing page on the same site where all the real content is protected. Something to keep in mind is that this method is set per deploy, and since we have atomic deploys, you cannot apply it to past deploys, or remove it from deploys that had it enabled accidentally. Assets protected in this way require authentication to be done at our CDN Origin (on the west coast US as of this writing) for each asset loaded, meaning that those assets will not perform as well as one that can be serviced directly from our CDN node cache, closer to the browser.
site basic password
The simplest option Netlify offers is built-in site protection in your site and team settings. These options let you set a password to protect your entire site or just branch deploys and Deploy Previews; learn more about this in the docs. Note: You will need to find a way to share this password with your visitors, and if it leaks, you will need to change it and repeat the process. This can be turned on and off instantly through our UI or API as needed.
site team login
This options is much like the basic password option, with one key difference. Instead of there being a single password that will be used by everyone accessing the site, this option requires that each person log into Netlify to access the site (and they must also be members of your team at Netlify). This then means that each person is going to use their own authentication method to login to Netlify. With this option people can only see your site if they have logged in and are a member of your team. There is more information about this option found in our docs here.
more resources
A related article is this guide to creating Build-context-specific settings, including HTTP Basic-Auth passwords, where we go into a lot of details about how to password protect “groups” of builds - only specific branches, only PR’s, etc.
We also know there are other types of password protection that people might also want which we don’t yet offer. If you have suggestions for other types of password protection, please let us know below!