Secure access to sites
Secure access to your sites by requiring login credentials or configuring Advanced Web Security rules or both. Advanced Web Security allows you to control site access and add extra protection against attacks.
Netlify offers automated network-wide protections from DDoS attacks by default to all sites and across all plans.
To further protect your sites, you can do the following:
- control site access with a password or login credentials for your live production site, just part of your live site, or for preview environments of your site, such as Deploy Previews.
- control site access and protect your site against malicious requests with Advanced Web Security rules
# Netlify Advanced Web Security
Netlify Advanced Web Security protects your team’s sites with extra security features designed for enterprise and advanced security needs:
- Web Application Firewall (WAF): blocks malicious traffic for a site using a Netlify-managed ruleset that’s based on common known attacks
- Firewall Traffic Rules: blocks or allows traffic based on custom rules/rulesets for your site or team’s sites
- Rate limiting: customizable rate limiting rules for your site or team’s sites with custom enforcement actions, such as blocking traffic or rewriting traffic with the
rewrite to pathaction
# Rule precedence
Netlify evaluates and enforces Advanced Web Security rules in this order:
- Firewall Traffic Rules
- Web Application Firewall (WAF) rules
- Rate limiting rules
This rule precedence means that requests evaluated for rate limits have not been blocked yet by Firewall Traffic Rules or WAF rules.
Note that Netlify applies Advanced Web Security rules to a site before other site visitor access features that require a password or login credentials. This means site visitors with a blocked IP address can encounter an error page before they find a password or login prompt on your site.
# Block malicious actors with Web Application Firewall (WAF)
Quickly protect your site from malicious web requests with our Web Application Firewall (WAF), which blocks web attacks with preset rules.
For example, you can protect a site with the Baseline ruleset, which is managed by Netlify. The Baseline ruleset detects common attacks we’ve found on our network as well as some common attacks documented by the OWASP Top 10 and the OWASP Core Ruleset.
Learn more about our Web Application Firewall.
# Control site access with rate limiting or Firewall traffic rules
Set rate limiting rules to enforce for your sites. Learn more about rate limiting.
Set Firewall Traffic Rules to control who can access your site based on their IP address or geographic location. Learn more about Firewall Traffic Rules.
# Require password or login credentials
Customize how site visitors access your entire site, just parts of your site, or just preview environments of your site, such as Deploy Previews and branch deploys. Optimize site visitor access for gated content, site administration, protected early access to your site for QA, and more.
The configuration options below allow you to require site visitors to enter a password or other login credentials before they can access your site.
- Site Protection. Protect your entire site or just preview environments of your site with a password you control or by requiring site visitors to be Netlify team members and log in with their Netlify team credentials. Site Protection settings are built-in to the Netlify UI for quick adjustment. One of the password protection options was previously called site-wide password protection.
- Netlify Identity service. Allows you to manage and authenticate users on your site or app, without requiring them to be users of Netlify or any other service. Optimized for gated content, site administration, and more.
- Git Gateway. Connects your site to a Git provider’s API, allowing tools like a CMS to work with content, branches, and pull requests on your users’ behalf. This feature is in
BETA. - OAuth provider tokens. Add authentication to your site using GitHub, GitLab, or Bitbucket and Netlify’s built-in support for OAuth2 integration.
- Role-based access control with JWT. Customize granular access to your site, or to specific pages using JSON Web Tokens (JWT), custom roles you define, and redirect rules to grant access to those sections.
- Basic authentication with custom HTTP headers. Configure basic authentication for your site to protect just one or more sections of your site using Netlify’s custom HTTP header support. Unlike the Site Protection password options, you can set multiple passwords for your site. Formerly called Selective password protection.
For more help figuring out the best option for your use case, check out the official Support guide Access control options for your Netlify sites.
Did you find this doc useful?
Your feedback helps us improve our docs.