Security /Secure access to sites /

Basic authentication with custom HTTP headers

This feature is available on Core Pro and Enterprise plans.

If you need multiple passwords for a site or only need to protect one or more sections of your site, you can set up basic authentication with Netlify’s custom HTTP header support.

You can also use Netlify’s Site Protection options to configure full Site Protection for all site deploys, or only Deploy Previews and branch deploys.

To learn more about automatically protecting specific branch deploys, check out this selective password protection blog post. Note that basic authentication with custom HTTP headers is referenced as selective password protection in this blog post and in several forum posts.

Not for sensitive information

Basic authentication does not encrypt access credentials or provide a method for user-initiated logout. Enabling HTTPS on your site will prevent eavesdropping on requests, but to protect sensitive or valuable information, we recommend using visitor access control with JWTs instead.

The sample below adds basic authentication to a site directory by adding a Basic-Auth rule to a _headers file. (You can also set these headers in the Netlify configuration file.)


There are two users defined here: one with the username USERNAME and password USER_PASSWORD, the other with SECOND_USERNAME and SECOND_USER_PASSWORD. This will trigger the built-in basic browser authentication for any URL under /protected.

Unlike other headers in your custom headers configuration, the Basic-Auth header will not be sent as written in a standard HTTP header. Instead, it will be used to control the appropriate HTTP headers for basic authentication.

Double passwords

If you enable both basic password protection and basic authentication on a site, the basic authentication login prompt appears first and the global password login for basic password protection opens next.