How to restrict access to a Netlify site with passwords

Why you might want to lock down a Netlify site

When you are building a new site or shipping a big update, it is normal to have pages that are not ready yet. The problem is that Netlify deploys are public by default, so anyone with the URL can load your work in progress.

That can be awkward with clients, stakeholders, or teammates. It can also cause real problems if search engines index the wrong version, or if someone shares a preview link too widely.

Netlify has a couple of ways to restrict access without building your own login system. You can pick the option that fits your plan and how strict you need to be.

Two common ways to protect a Netlify site

You have two practical options that cover most use cases:

1. Password protection in the Netlify dashboard (Pro plan and higher) This is the most polished option. It is great for client previews and non-technical reviewers.

2. Basic Authentication using a _headers file (works on all plans) This is more manual, but it can be useful when you want quick protection or route-by-route rules.

Let's go through both.

Option 1: Password protection in the Netlify dashboard

If your Netlify plan supports it, password protection is the easiest path. You flip a setting in the dashboard, choose who should be allowed in, and you are done.

You can usually choose between:

• A shared password that you give to anyone who needs access
• Team-based access where people log in with their own Netlify account

You can also often choose the scope, for example:

• Protect all deploys, including production
• Protect non-production deploys only, while production stays public

This is the option I would choose if you want a smooth client-friendly experience.

Option 2: Basic Auth with a _headers file

If you are on a free plan, or you want per-path control, you can use Basic Authentication by adding a _headers file to your site output.

A simple site-wide rule looks like this:

/*
  Basic-Auth: demo:letmein

This tells Netlify to require the username demo and password letmein for all pages.

You can also protect specific paths:

/admin/*
  Basic-Auth: admin:secretpassword

/staging/*
  Basic-Auth: tester:preview123

This approach is flexible and works on all Netlify plans.

Where to put the _headers file

The _headers file should be in your site's publish directory, which is usually the root of your static output.

For common frameworks:

• Plain HTML projects: put it in the root folder
• Next.js: put it in the public folder
• Gatsby: put it in the static folder
• Hugo: put it in the static folder

Netlify will automatically pick it up during deployment.

Limitations of Basic Auth

Basic Authentication is simple, but it has trade-offs:

• The password is sent with every request (over HTTPS, so it is encrypted)
• There is no "forgot password" flow
• Credentials are stored in plain text in the _headers file
• Some crawlers may still try to access the site

For quick staging protection, this is usually fine. For anything more sensitive, consider the dashboard-based password protection or a real authentication system.

Protecting deploy previews

Deploy previews are especially easy to share accidentally. A teammate might post a preview link in a Slack channel, and suddenly more people can see your unfinished work than intended.

If you are on a paid plan, you can often restrict access to deploy previews specifically, while leaving production public. This is a good middle ground.

Conclusion

Netlify gives you straightforward options to restrict access to your site:

• Use dashboard-based password protection for a polished experience on paid plans
• Use Basic Auth via _headers for quick protection on any plan

Either way, you can keep your work-in-progress private and share access only with the people who need it.