Security overview

Netlify can meet the complex security and compliance needs of Enterprises and cross-functional teams with customizable access to production and preview sites, SAML SSO login, SCIM provisioning, role-based access control, Firewall traffic rules, and more.

Check your security posture

If you have an Enterprise plan, you can improve your team’s security and reduce your vulnerabilities by reviewing the Security Scorecard for your Enterprise team.

You can also check out the security checklist for more details on how Netlify can improve your security.

Secure access to sites

Customize access control for your sites with a password prompt, login credentials, or based on site visitors’ IP address or location.

Block traffic to your site with Firewall traffic rules and set custom rate limits with our rate limiting rules.

Learn more about Secure access to sites.

Secure Netlify access

Secure how people can access your Netlify team, resources, and sensitive information with these security features:

SAML SSO login through an identity provider
SCIM Directory Sync to provision users
Secrets Controller, which allows you to protect your most sensitive secrets
Role-based access control
Enforce 2FA

Learn more about Secure access to Netlify

Secure by design and at scale

Netlify’s Frontend Cloud has a reduced attack surface, offering security by design.

Netlify also offers these security features to help you stay secure as you scale:

Proactive DDoS monitoring
Content Security Policy
Log Drains
Data encrypted at rest with AES-256 or stronger
Traffic encrypted in transit with TLS 1.2 or greater
Private Connectivity

Support against DDoS attacks

Even if a malicious attacker tries to take down your site, our global infrastructure and automated DDoS protection can keep your site available.

Netlify automatically detects distributed denial-of-service (DDoS) attacks and will rate limit and block malicious clients from connecting to sites hosted on our servers.

Our edge network mitigates malicious clients from impacting network performance in several ways, including:

Global load balancing: routes traffic strategically amongst our many servers. Netlify manages these servers to ensure capacity grows as needed.
Automatic DDoS detection: automatically identifies anomalous clients that pose a risk to your site’s availability.
Automatic rate limiting & blocking: mitigates attacks by rate limiting and blocking identified clients from connecting to sites deployed on Netlify and hosted on our servers.

Compliance and Certifications

SOC 2 Type 2 and ISO 27001 reports available
PCI DSS
GDPR and CCPA

For the latest compliance updates and more details, check out our Netlify trust center.

Add contacts for security incidents

To ensure that Netlify can quickly contact you about potential abuse, fraud, or other security incidents, add at least one email address as an incidents contact. If you have an organization, you can only add a contact in your organization settings.

Add a contact for a team

As a Team Owner, go to Team settings General Primary Contacts, then select Edit contacts.
Add at least one email address as a primary contact for security, abuse, or fraud incidents.

Add a contact for an organization

If your team is a part of an organization, you can only add contacts in your organization settings.

As an Organization Owner, select your organization name in the navigation and then select Organization overview.
Select your Organization’s Settings page, go to Primary contacts, then select Edit contacts.
Add at least one email address as a primary contact for security, abuse, or fraud incidents. This contact info will appear as read-only in team settings.

More security resources

Did you find this doc useful?

Your feedback helps us improve our docs.