
Can You Password Protect a Netlify Drop Site? (2026)
Short answer: a Netlify Drop site is a normal Netlify site under the hood, so it can be password protected — but as of 2026, both of Netlify's built-in ways to do that need a Pro plan. The free _headers trick you'll find in older tutorials no longer applies to new accounts.
I verified this against the Netlify docs on July 3, 2026, because the situation changed and a lot of guides are out of date. Here's the real picture.
What a Netlify Drop site actually is
When you drag a folder onto app.netlify.com/drop, Netlify uploads the files, creates a site, and gives you a random something.netlify.app URL. There's no Git repo and no build step — just the files you dropped.
The important part: that Drop site has the same site settings as any other Netlify site. Custom domain, SSL, and the Access & security panel are all there. So the question isn't really "can Drop do passwords" — it's "what plan do the password features need," and the answer is the same as for any site.
The two built-in options, and what they cost
Netlify has two native ways to put a password in front of a site:
Password Protection (the UI toggle under Project configuration > Access & security > Visitor access). This gives visitors a single shared password prompt. Per the current docs, basic password protection for your whole site is available on Pro and Enterprise plans — not free.
Basic Auth via a _headers file. You add a Basic-Auth: rule to a _headers file in your published folder, and Netlify enforces a browser login prompt. This used to work on every plan, which is why so many tutorials recommend it for free sites. As of 2026 the docs list this feature as available on Pro and Enterprise plans too. If you're on a new (credit-based) free account, don't count on it.
So on a free Drop site, neither built-in option is available. That's the honest answer, even though it's not the convenient one.
What still works without Pro
If you can't or won't pay for Pro, your realistic options are:
- Don't rely on the URL staying secret, but make it hard to guess. A Drop site's random
.netlify.appURL isn't linked from anywhere. That's obscurity, not security — fine for sharing a quick preview with one person, useless for anything sensitive. - Gate the content in the browser. A little client-side JavaScript password check keeps casual visitors out, but anyone who opens dev tools can read straight past it. Only use this for low-stakes "please don't peek" cases.
- Move to a real (Git or CLI) site and add your own auth. With a repo-backed or CLI-deployed site you can put an edge function in front of your pages and check a password or token yourself. This works on the free plan because it's your code, not a gated platform feature.
- Just upgrade to Pro if you need this regularly. At $20/month you get Password Protection and Basic Auth headers as toggles, and it's less work than any workaround.
Managing Drop sites from your phone. If you're spinning up quick shareable sites, Netli.fyi lets you check every Netlify project — domains, SSL, and deploy status — from your pocket, without opening a laptop.
"What's the Netlify default password?"
There isn't one. If you landed here searching for a "Netlify default password," you're almost certainly hitting a password prompt on a site someone else protected, and there's no universal password that opens it.
What you're seeing is one of two things:
- A basic password prompt — a single shared password the site owner set. Only they can tell you what it is.
- A Netlify team login prompt — this one wants you to log in as a member of the owner's Netlify team. If you're not on their team, you can't get in, and no password will change that.
Either way, the fix is the same: ask whoever deployed the site. Netlify doesn't ship a default password you can look up.
I don't work for Netlify, and this isn't official documentation. Behavior verified against docs.netlify.com on July 3, 2026 — plan features change, so confirm against your own dashboard.

Developer Advocate at RevenueCat and creator of Netli.fyi. Building on Netlify since 2019. Writes from hands-on experience deploying dozens of production sites.


