Security /

Security Scorecard

This feature is in Beta and is available on Core Enterprise plans.

Improve your team’s security and reduce your vulnerabilities with the Security Scorecard. The scorecard offers actionable insights on using Netlify and applying security best practices.

# Overview

The Security Scorecard is designed to help you identify risks in your security posture and take action to remediate them. We recommend using the scorecard as an ongoing part of your own security policy.

Team Owners can review an autogenerated scorecard at a team’s

tab. To start a new security audit, refresh the browser page.

Security Scorecard with timestamp and some security risk alerts for 2FA and SSO

# Authentication recommendations

Configure secure access to your Netlify team to help protect sensitive information and prevent others from gaining control over your sites.

# Set up 2FA for Team Owners

We recommend setting up 2FA for all Team Owners to reduce the risk that an adversary gains full administrative control of your team and sites.

You can configure 2FA through an identity provider or within Netlify. Either way, it’s critical that you protect access to your team/organization with 2FA.

To remediate this risk with a more robust and longer-term fix, configure and enforce SSO with an identity provider and Netlify. After configuring SSO, you have the option to set up 2FA through your identity provider. We recommend FIDO2 2FA for the most robust security.

# Alternative

Whether or not you have set up SAML SSO, you can enforce 2FA within Netlify.

When you enforce 2FA within Netlify, team members cannot access your team/organization without authenticating through the 2FA authenticator app that they set up for their Netlify user ID. As a fallback method, they can use recovery codes they saved.

Once a team member sets up 2FA for their Netlify user ID, they must always authenticate with 2FA to log in to Netlify.

Before enforcing 2FA, you can encourage Netlify team members to set up 2FA within Netlify with a warning banner that appears at the top of every page in the Netlify UI for team members who haven’t enabled 2FA.

To start the 2FA enforcement process through Netlify:

  1. If you haven’t already, configure 2FA for your Netlify user ID.
  2. Encourage team members to set up 2FA or enforce 2FA for your team or organization with these 2FA enforcement docs.

# Set up 2FA for Collaborators

We recommend setting up 2FA for all Collaborators to reduce the risk that an adversary gains access control to your site settings and private site deploys.

You can configure 2FA through an identity provider or within Netlify. Either way, it’s critical that you protect access to your team/organization with 2FA.

To remediate this risk with a longer-term fix, configure and enforce SSO with an identity provider and Netlify. After configuring SSO, you have the option to set up 2FA through your identity provider. We recommend FIDO2 2FA for the most robust security.

# Alternative

Whether or not you have set up SAML SSO, you can enforce 2FA within Netlify.

When you enforce 2FA within Netlify, team members cannot access your team/organization without authenticating through the 2FA authenticator app that they set up for their Netlify user ID. As a fallback method, they can use recovery codes they saved.

Once a team member sets up 2FA for their Netlify user ID, they must always authenticate with 2FA to access any other Netlify teams where they are a Collaborator, Team Owner, or Reviewer.

Before enforcing 2FA, you can encourage Netlify team members to set up 2FA within Netlify with a warning banner that appears at the top of every page in the Netlify UI for team members who haven’t enabled 2FA.

To start the 2FA enforcement process through Netlify:

  1. If you haven’t already, configure 2FA for your Netlify user ID.
  2. Encourage team members to set up 2FA or enforce 2FA for your team or organization with these 2FA enforcement docs.

# Enforce SSO login

We recommend strict enforcement of SSO. Otherwise SSO is simply another authentication option that team members aren’t required to use, offering convenience without security.

Netlify allows you to enforce SSO login through an identity provider with Organization SSO or Team SSO. You can enforce SSO by enabling Strict SSO for your team or organization.

To enforce SSO with an identity provider:

  1. If you haven’t already, consider whether Organization SSO, which offers SCIM provisioning and guided setup, is best for your team over Team SSO.

  2. To ensure site access, confirm that everyone who needs access to your site or team settings has an account with your identity provider.

  3. Follow these steps to enable strict SSO for Organization SSO or Team SSO.

# Set up SSO with an identity provider

We recommend you set up SSO login with an identity provider. This reduces the risk that users log in with insecure authentication methods and compromise your team’s security.

Netlify allows you to set up SSO login through an identity provider using Organization SSO or Team SSO. Organization SSO supports more identity providers, a guided setup, and SCIM provisioning.

To set up SSO with an identity provider:

  1. Check whether your identity provider is supported by Organization SSO or Team SSO.

  2. Choose whether to use Organization SSO or Team SSO:

    • For the most scalable security, SCIM provisioning, guided setup, and wider identity provider support, choose Organization SSO.
    • For basic SSO login for a single team without guided setup or Netlify-integrated SCIM provisioning, choose Team SSO.
  3. Follow the set up steps for either Organization SSO or Team SSO.

FIDO2 2FA best practice

We recommend you enforce FIDO2 2FA through your identity provider for even greater security. Learn more from your identity provider.

# User management recommendations

Apply security best practices to how you manage users and their access to your Netlify team, sites, and sensitive information.

# Provision users with SCIM Directory Sync

We recommend provisioning users with SCIM Directory Sync to securely manage access control through your identity provider at scale. This reduces the risk that people who have left your company can still control your sites and access sensitive information.

To set up SCIM Directory Sync, you must have a Netlify Organization and also have an Organization Owner role. Learn more about Netlify’s SCIM Directory Sync.

# Reduce Team Owners

We recommend maintaining a maximum of 5 Team Owners per team to ensure you are giving the least privilege needed and applying a security best practice.

To reduce the number of Team Owners on your team:

  1. Navigate to your team’s

    page to review Team Owners.

  2. Decide whether it makes sense to demote a Team Owner to a Collaborator role or remove them from the team completely.

  3. Edit a Team Owner’s role or remove them from the team. There are two different ways to do this depending on whether or not a Team Owner is provisioned through SCIM Directory Sync.

    • If not provisioned with SCIM: Navigate to your team’s

      page. Next, you can edit their role or remove them from the team completely.

      Owners can use the "Options" menu to remove or edit a member.

    • If provisioned with SCIM and managed by a Netlify organization: In your identity provider, deprovision the user or change their user role. To change their user role, move them to a directory group that has a different Netlify role. You can check the Netlify role assigned to directory groups from your Directory Sync settings.

      Directory Sync settings showing directory groups and assigned Netlify roles.

# Remove inactive Team Owners

We recommend removing inactive Team Owners from your team to ensure you’re not giving privileged access to people who should no longer control or access your team and sensitive information.

A Team Owner is considered inactive when they haven’t logged in nor triggered a build in the last 30 days.

# Remove a Team Owner in Netlify UI

You can remove a Team Owner in the Netlify UI if that user is not provisioned through SCIM Directory Sync.

If a user is provisioned through SCIM Directory Sync, the Netlify UI shows that they are Managed by org in the

.

To remove an inactive Team Owner:

  1. Navigate to your team’s page to review Team Owners.
  2. Choose a relevant Team Owner from the Member list.
  3. Next to your chosen Team Owner, select Options, then Remove from team.

# Deprovision a Team Owner in your identity provider

If an inactive Team Owner is currently provisioned through SCIM Directory Sync, you must deprovision the Team Owner in your identity provider.

To deprovision an inactive Team Owner:

  1. Go to your identity provider.

  2. In your identity provider, review users in any directory groups that are assigned the Netlify Team Owner role. You can review the Netlify roles assigned to directory groups in your Directory Sync settings on Netlify. For example, you may have a directory group in your identity provider called Team Admins. In Netlify, an Organization Owner can assign the Team Admins directory group to the Team Owner role.

  3. Remove inactive Team Owners from the directory group.

For more details check out your identity provider’s docs.

# Remove inactive Collaborators

We recommend removing inactive Collaborators from your team to ensure you’re not giving access to Collaborators who should no longer access site deploy management or sensitive information in your team.

A Collaborator is considered inactive when they haven’t logged in nor triggered a build in the last 30 days.

# Remove a Collaborator in Netlify UI

You can remove a Collaborator in the Netlify UI if that user is not provisioned through SCIM Directory Sync. If a user is provisioned through SCIM Directory Sync, the Netlify UI shows that they are Managed by org in the

.

To remove an inactive Collaborator:

  1. Navigate to your team’s page.
  2. Choose a relevant Collaborator from the Member list.
  3. Next to your chosen Collaborator, select Options, then Remove from team.

# Deprovision a Collaborator in your identity provider

If an inactive Collaborator is currently provisioned through SCIM Directory Sync, you must deprovision the Collaborator from your identity provider.

To deprovision an inactive Collaborator:

  1. Go to your identity provider.
  2. In your identity provider, review users in the directory groups assigned to the Netlify Collaborator role. You can review the Netlify roles assigned to directory groups in your Directory Sync settings on Netlify. For example, you may have a directory group in your identity provider called Site Maintainers. In Netlify, an Organization Owner can assign the Site Maintainers directory group to the Collaborator role.
  3. Remove inactive Team Owners from the directory group.

For more details check out your identity provider’s docs.

# Site protection recommendations

Protect unreleased content and intellectual property by ensuring that preview versions of your site are not accessible with site protection. Or set up an internal-only site that requires a password or login credentials.

As a Team Owner, you can customize the default site protection settings for all sites in your team with these main options:

  • Basic password protection: require site visitors to enter a universal password to access a site.
  • Team login protection: require site visitors to use their Netlify team login credentials to access a site. Invite unlimited Reviewers to access a site/sites in your team with their own Netlify login credentials.
Basic password protection Team login protection
Basic password prompt on a deploy when basic password protection is enabled. Standard Netlify team login options on a deploy when team login protection is enabled, includes options to log in with GitHub, GitLab, Bitbucket, Email, or SSO
Universal password required to access site deploy Unique password and username required to access site deploy
No SSO support Supports SSO through an identity provider, if an Owner enables strict SSO

Learn more about site protection.

# Set up site protection for your team

To prevent unwanted access to unreleased content and intellectual property, we recommend enabling site protection for preview environments of your site, such as for Deploy Previews and any branch deploys.

You can also enable site protection for your entire site, which is ideal for internal-only sites.

For the most robust security, we recommend enabling Team login protection with strict SSO, which requires all site visitors to log in with their Netlify team credentials through your identity provider to access site previews. Learn more about Team login protection.

To enable strict SSO, you must first enable Organization SSO or Team SSO.

To set up site protections for your team:

  1. For your team, go to

    .

  2. Select Configure site protection.

  3. To require site visitors to use their Netlify login credentials to access your sites, choose Team login protection. Site visitors must be a member of your Netlify team to access your sites.

    Who counts as a Netlify team member?

    Team login protection applies to site Collaborators, Team Owners, Reviewers, and Billing Admins only. Git Contributors will not be able to log in to your site deploys that are protected with team login protection. You can invite an unlimited number of people to access your site in a Reviewer role, which gives them Netlify team login credentials.

  4. Choose the scope of your default site protection. This will apply to all new sites and all existing sites with no custom configuration.

    • To only protect preview versions of your sites, such as Deploy Previews and branch deploys, select Non-production deploys only.
    • To protect entire sites for an internal site experience, select All deploys.
  5. To confirm, select Save.

These default site protection settings apply to all new sites and all existing sites with no custom configuration. Site Collaborators can customize protection for a specific site without changing the team default.

# Alternative

As an alternative to setting up site protection for all sites in your team, you can set up site protection for just a single site.

Check out the docs for setting up site protections for a single site.

We still recommend team-configured site protection as a default for all new sites and existing sites that don't have their own custom site protection settings.

# More resources

Learn more on security best practices and how Enterprises are using Netlify for better security: