Password Protection overview

Customize how visitors access your site using Password Protection settings available through the Netlify UI.

Basic password protection for your entire site is available on Pro plans. All basic password protection and team login protection options are available on Enterprise plans.

You can configure protection for all site deploys or only Deploy Previews and branch deploys.

SSO login support for Reviewers

The ability for Reviewers to log in to the Netlify app and collaborate on deploys using SAML SSO is currently in beta and is available on Enterprise plans.

Password Protection options

You can restrict access to site deploys with these options:

• Protect all deploys: protect all site deploys, including production deploys, Deploy Previews, and branch deploys.
• Protect only non-production deploys: keep your production deploys open to all visitors and only protect Deploy Previews and branch deploys. Note that protecting only private deploys with Password Protection settings is only available for Enterprise plans.

Learn more about how site deploys are defined in our site deploys docs.

Once you decide which deploys you would like to protect, you can choose between basic password protection and team login protection. If you choose team login protection, you have the option to configure SSO as part of that protection.

Who can configure Password Protection

As a Developer, you can change the Password Protection settings for your site at any time in the Netlify UI. Password Protection settings configured for a specific site will override any default Password Protection settings configured for your team.

As a Team Owner, you can configure the default Password Protection settings for all sites on your team. Individual Password Protection settings will take precedence over team settings. If you configure default Password Protection for site deploys on your team, this becomes the baseline protection for all of your sites.

Basic password protection versus team login protection

Password Protection allows you to protect your site with basic password protection or team login protection.

If you set up basic password protection for a site deploy, a visitor to your site deploy will find a generic password prompt. They must know and enter a shared password to access the site deploy.

If you set up team login protection for a site deploy, a visitor to your site deploy will find a Netlify team login prompt. They must be a member of your Netlify team and log in using the same credentials they use to access the Netlify app.

Basic password protection	Team login protection
Universal password required to access site deploy	Unique password and username required to access site deploy
Password set by a Developer or Team Owner	Username and password set through your Netlify team login configuration
No SSO support	Supports SSO through an identity provider
Anyone can use your basic password to access a site deploy	Only members of your Netlify team can use your team login to access a site deploy Invite unlimited Reviewers to access your site Note that Git Contributors cannot access your site with team login protection

Protect your site with single sign-on (SSO)

To protect your site with SSO protection through an identity provider, you must first set up Organization SSO or Team SSO.

Next, you need to configure Password Protection with the team login protection option.

You can protect either all site deploys or just Deploy Previews and branch deploys.

If you want to require SSO login for your site, you must configure Organization or Team SSO with the Only SSO allowed (strict) option.

SSO auth tokens expire after 1 hour

When a team member uses SSO to log in to your site, the authorization lasts for 1 hour. While this timeout is meant to enhance your security, it can be inconvenient if your use cases involve long sessions.

For this reason, we provide a Netlify-Site-Protection-Expires-In response header for sites with SSO protection. That header indicates the number of seconds remaining until the auth token used for the request expires. You can use this information to proactively refresh pages before they start to return a 401 during a long session.

Configure default Password Protection for your team

Customize Password Protection for your team with either a basic password or Netlify team login. As a Team Owner, you can customize the default Password Protection settings for all sites owned by your team.

Default Password Protection settings apply to all new sites and all existing sites that don’t have their own custom Password Protection settings configured. This allows you to customize Password Protection for a specific site.

Protect your sites with a basic password

To set a default Password Protection setting for sites owned by your team:

1. For your team, go to Team settings > Access & security > Visitor access > Default Password Protection settings.

2. Select Configure Password Protection.

3. To require site visitors to enter a basic password for all new sites and existing sites without custom Password Protection, choose Basic password protection. Enter the custom password. You will need to share this password for site visitors to access the impacted site deploys.

4. Choose the scope of your default Password Protection:

   • To only protect site deploys that are not on your production branch, such as Deploy Previews and branch deploys, select Non-production deploys only.
   • To protect both production and non-production site deploys, select All deploys.

5. To confirm, select Save.

Protect your sites with Netlify team login

To set a default Password Protection setting for sites owned by your team:

1. For your team, go to Team settings > Access & security > Visitor access > Default Password Protection settings.

2. Select Configure Password Protection.

3. To require site visitors to use their Netlify login credentials to access your site, choose Team login protection. Visitors must be a member of your Netlify team for this option.

Who counts as a Netlify team member for team login protection?

Team login protection applies to Developers, Team Owners, and Billing Admins only. Git Contributors will not be able to log in to your site deploys that are protected with team login protection.

4. Choose the scope of your default Password Protection:

   • To only protect site deploys that are not on your production branch, such as Deploy Previews and branch deploys, select Non-production deploys only.
   • To protect both production and non-production site deploys, select All deploys.

5. To confirm, select Save.

Configure Password Protection for a single site

Customize Password Protection for a specific site’s deploys with either a basic password or Netlify team login.

Protect your site with a basic password

Basic password protection allows you to quickly protect your site deploys with a single shared password. When you configure basic password protection for a specific site, all site members can change or remove this password at any time.

All site visitors will be required to enter this password to access a site deploy, including team members who can manage your site deploy’s settings in the Netlify app.

To protect your site with basic password protection:

1. In the Netlify UI, navigate to your site and go to Project configuration > Access & security > Visitor access > Password Protection.

2. Select Configure Password Protection.

3. If a Team Owner has configured default Password Protection settings on your team, then you can choose to keep the default Password Protection settings that are listed in the Netlify UI or you can select Customize this site’s protection settings.

4. To set a password that anyone can use to access your site, choose Basic password protection, and enter the required password for all site visitors.

5. Choose the scope of basic password protection for your site:

   • To only protect site deploys that are not on your production branch, such as Deploy Previews and branch deploys, select Non-production deploys only.
   • To protect both production and non-production site deploys, select All deploys.

6. To confirm, select Save.

Protect your site with Netlify team login

Team login protection is ideal for internal sites or for Deploy Previews and branch deploys that should remain private and for internal preview only.

Team login protection for your site allows you to restrict access to only members of your Netlify team. Team members must log in to your site using the same login credentials they use to access the Netlify app.

Once team login protection is configured, only Team Owners, Developers and Billing Admins can access the protected site deploys.

To protect your site with Netlify team login protection:

1. In the Netlify UI, navigate to your site and go to Project configuration > Access & security > Visitor access > Password Protection.

2. Select Configure Password Protection.

3. If a Team Owner has configured default Password Protection settings on your team, then you can choose to keep the default Password Protection settings that are listed in the Netlify UI or you can select Customize this site’s protection settings.

4. To allow team members to access your site with their Netlify team login credentials, choose Team login protection.

Who counts as a Netlify team member for team login protection?

Team login protection applies to Developers, Team Owners, and Billing Admins only. Git Contributors will not be able to log in to your site deploys that are protected with team login protection.

5. Choose the scope of team login protection for your site:

   • To only protect site deploys that are not on your production branch, such as Deploy Previews and branch deploys, select Non-production deploys only.
   • To protect both production and non-production site deploys, select All deploys.

6. To confirm, select Save.