Password protection

Netlify provides mechanisms to hide all or part of your site behind a password that you control.

# Site-wide protection

This feature may not be available on all plans.

Netlify’s site-wide password protection blocks complete access to your site to visitors without a password.

To set this global password, go to the Access section in your site’s settings and select Set Password. After setting this password, all access to your site will be blocked unless a visitor enters the password you set.

To make the site public again, go to the same section and remove the password by using Edit Password.

Team-wide default password

You can set a password for all sites belonging to your team from your team settings under Sites > Global site settings > Password / JWT secret. Password settings at the site level will override team-level defaults.

This feature may not be available on all plans.

Netlify presents a generically styled page to prompt visitors for the password.

# Selective protection with basic authentication

This feature may not be available on all plans.

If you need multiple passwords for a site or only need to protect part of your site, you can set up basic authentication with Netlify’s custom HTTP header support. We’ve demonstrated a common use case around using this feature to automatically protect specific branch deploys.

Not for sensitive information

Basic authentication does not encrypt access credentials or provide a method for user-initiated logout. Enabling HTTPS on your site will prevent eavesdropping on requests, but for protecting sensitive or valuable information, we recommend using visitor access control with JWTs instead.

The sample below adds basic authentication to a site directory by adding a Basic-Auth rule to a _headers file. (You can also set these headers in the Netlify configuration file.)


There are two users defined here: one with the username USERNAME and password USER_PASSWORD, the other with SECOND_USERNAME and SECOND_USER_PASSWORD. This will trigger the built-in basic browser authentication for any URL under /protected.

Unlike other headers in your custom headers configuration, the Basic-Auth header will not be sent as written in a standard HTTP header. Instead, it will be used to control the appropriate HTTP headers for basic authentication.

Double passwords

If you enable both site-wide password protection and basic authentication on a site, the site-wide password will be asked for after the basic authentication login.

Role based access controls with JWT tokens