Site & team management /Security /Secure access to sites /

Site Protection overview

Customize how visitors access your site using Site Protection settings available through the Netlify UI.

Basic password protection for your entire site is available on Pro plans. All basic password protection and team login protection options are available on Enterprise plans.

You can configure protection for all site deploys or only Deploy Previews and branch deploys.

SSO login support for Reviewers

The ability for Reviewers to log in to the Netlify app and collaborate on deploys using SAML SSO is currently in beta and is available on Enterprise plans.

# Site Protection options

You can restrict access to site deploys with these options:

  • Protect all deploys: protect all site deploys, including production deploys, Deploy Previews, and branch deploys.
  • Protect only non-production deploys: keep your production deploys open to all visitors and only protect Deploy Previews and branch deploys.

Learn more about how site deploys are defined in our site deploys docs.

Once you decide which deploys you would like to protect, you can choose between basic password protection and team login protection. If you choose team login protection, you have the option to configure SSO as part of that protection.

# Who can configure Site Protection

As a Developer, you can change the Site Protection settings for your site at any time in the Netlify UI. Site Protection settings configured for a specific site will override any default Site Protection settings configured for your team.

As a Team Owner, you can configure the default Site Protection settings for all sites on your team. Individual Site Protection settings will take precedence over team settings. If you configure default Site Protection for site deploys on your team, this becomes the baseline protection for all of your sites.

# Basic password protection versus team login protection

Site Protection allows you to protect your site with basic password protection or team login protection.

If you set up basic password protection for a site deploy, a visitor to your site deploy will find a generic password prompt. They must know and enter a shared password to access the site deploy.

If you set up team login protection for a site deploy, a visitor to your site deploy will find a Netlify team login prompt. They must be a member of your Netlify team and log in using the same credentials they use to access the Netlify app.

Basic password protection Team login protection
Basic password prompt on a deploy when basic password protection is enabled. Standard Netlify team login options on a deploy when team login protection is enabled, includes options to log in with GitHub, GitLab, Bitbucket, Email, or SSO
Universal password required to access site deploy Unique password and username required to access site deploy
Password set by a Developer or Team Owner Username and password set through your Netlify team login configuration
No SSO support Supports SSO through an identity provider
Anyone can use your basic password to access a site deploy Only members of your Netlify team can use your team login to access a site deploy

Invite unlimited Reviewers to access your site

Note that Git Contributors cannot access your site with team login protection

# Protect your site with single sign-on (SSO)

To protect your site with SSO protection through an identity provider, you must first set up Organization SSO or Team SSO.

Next, you need to configure Site Protection with the team login protection option.

You can protect either all site deploys or just Deploy Previews and branch deploys.

If you want to require SSO login for your site, you must configure Organization or Team SSO with the Only SSO allowed (strict) option.

SSO auth tokens expire after 1 hour

When a team member uses SSO to log in to your site, the authorization lasts for 1 hour. While this timeout is meant to enhance your security, it can be inconvenient if your use cases involve long sessions.

For this reason, we provide a Netlify-Site-Protection-Expires-In response header for sites with SSO protection. That header indicates the number of seconds remaining until the auth token used for the request expires. You can use this information to proactively refresh pages before they start to return a 401 during a long session.

# Configure default Site Protection for your team

Customize Site Protection for your team with either a basic password or Netlify team login. As a Team Owner, you can customize the default Site Protection settings for all sites owned by your team.

Default Site Protection settings apply to all new sites and all existing sites that don’t have their own custom Site Protection settings configured. This allows you to customize Site Protection for a specific site.

# Protect your sites with a basic password

To set a default Site Protection setting for sites owned by your team:

  1. For your team, go to

    .

  2. Select Configure Site Protection.

  3. To require site visitors to enter a basic password for all new sites and existing sites without custom Site Protection, choose Basic password protection. Enter the custom password. You will need to share this password for site visitors to access the impacted site deploys.

  4. Choose the scope of your default Site Protection:

    • To only protect site deploys that are not on your production branch, such as Deploy Previews and branch deploys, select Non-production deploys only.
    • To protect both production and non-production site deploys, select All deploys.
  5. To confirm, select Save.

# Protect your sites with Netlify team login

To set a default Site Protection setting for sites owned by your team:

  1. For your team, go to

    .

  2. Select Configure Site Protection.

  3. To require site visitors to use their Netlify login credentials to access your site, choose Team login protection. Visitors must be a member of your Netlify team for this option.

    Who counts as a Netlify team member for team login protection?

    Team login protection applies to Developers, Team Owners, and Billing Admins only. Git Contributors will not be able to log in to your site deploys that are protected with team login protection.

  4. Choose the scope of your default Site Protection:

    • To only protect site deploys that are not on your production branch, such as Deploy Previews and branch deploys, select Non-production deploys only.
    • To protect both production and non-production site deploys, select All deploys.
  5. To confirm, select Save.

# Configure Site Protection for a single site

Customize Site Protection for a specific site’s deploys with either a basic password or Netlify team login.

# Protect your site with a basic password

Basic password protection allows you to quickly protect your site deploys with a single shared password. When you configure basic password protection for a specific site, all site members can change or remove this password at any time.

All site visitors will be required to enter this password to access a site deploy, including team members who can manage your site deploy’s settings in the Netlify app.

To protect your site with basic password protection:

  1. In the Netlify UI, navigate to your site and go to

    .

  2. Select Configure Site Protection.

  3. If a Team Owner has configured default Site Protection settings on your team, then you can choose to keep the default Site Protection settings that are listed in the Netlify UI or you can select Customize this site’s protection settings.

  4. To set a password that anyone can use to access your site, choose Basic password protection, and enter the required password for all site visitors.

  5. Choose the scope of basic password protection for your site:

    • To only protect site deploys that are not on your production branch, such as Deploy Previews and branch deploys, select Non-production deploys only.
    • To protect both production and non-production site deploys, select All deploys.
  6. To confirm, select Save.

# Protect your site with Netlify team login

Team login protection is ideal for internal sites or for Deploy Previews and branch deploys that should remain private and for internal preview only.

Team login protection for your site allows you to restrict access to only members of your Netlify team. Team members must log in to your site using the same login credentials they use to access the Netlify app.

Once team login protection is configured, only Team Owners, Developers and Billing Admins can access the protected site deploys.

To protect your site with Netlify team login protection:

  1. In the Netlify UI, navigate to your site and go to

    .

  2. Select Configure Site Protection.

  3. If a Team Owner has configured default Site Protection settings on your team, then you can choose to keep the default Site Protection settings that are listed in the Netlify UI or you can select Customize this site’s protection settings.

  4. To allow team members to access your site with their Netlify team login credentials, choose Team login protection.

    Who counts as a Netlify team member for team login protection?

    Team login protection applies to Developers, Team Owners, and Billing Admins only. Git Contributors will not be able to log in to your site deploys that are protected with team login protection.

  5. Choose the scope of team login protection for your site:

    • To only protect site deploys that are not on your production branch, such as Deploy Previews and branch deploys, select Non-production deploys only.
    • To protect both production and non-production site deploys, select All deploys.
  6. To confirm, select Save.