Netlify Security Checklist: 15-Item Guide Before Deploying

Q: How do I add security headers on Netlify?

Create a _headers file in your publish directory or add headers in netlify.toml. Include X-Frame-Options, X-Content-Type-Options, Content-Security-Policy, and Strict-Transport-Security headers.

Q: Are Netlify environment variables secure?

Netlify environment variables are encrypted and only available during build time and in Netlify Functions. They are not exposed to the browser unless you explicitly include them in your build output.

TL;DR

This 15-item checklist covers critical Netlify security configurations: environment variables, security headers, access control, and Netlify Functions. 5 critical items must be fixed before launch, 6 important items within the first week, and 4 recommended items when you can.

Quick Checklist (5 Critical Items)

Store secrets in Netlify Environment VariablesNever commit secrets to your repository - use Site Settings > Environment Variables

Do not expose secrets in build outputAvoid embedding secrets in JS bundles - use Functions for secret-dependent logic

Add authentication to FunctionsVerify users before processing requests in serverless functions

Protect deploy previewsEnable password protection for sensitive preview deploys

Configure Content-Security-PolicyRestrict which sources can load scripts, styles, and other resources

Environment Variables 4

Store secrets in Netlify Environment VariablesSite Settings > Environment Variables. Never commit secrets to your repository. How to configure env variables

Understand build vs runtime accessEnv vars are available at build time. Only Functions can access them at runtime. How to use Netlify env vars

Do not expose secrets in build outputAvoid embedding secrets in JS bundles. Use Functions for secret-dependent logic. How to separate client/server keys

Set context-specific variablesUse different values for Production, Deploy Previews, and Branch Deploys. How to configure deploy contexts

Security Headers 4

Create _headers fileAdd to your publish directory with security headers for all paths. How to create _headers file

Add X-Frame-OptionsSet to DENY or SAMEORIGIN to prevent your site from being embedded in iframes. How to prevent clickjacking

Configure Content-Security-PolicyRestrict which sources can load scripts, styles, and other resources. How to configure CSP

Enable Strict-Transport-SecurityForce HTTPS connections with HSTS header. How to enable HSTS

Access & Deployment 4

Protect deploy previewsEnable password protection or Netlify Identity for sensitive preview deploys. How to protect previews

Review team member accessAudit who has access to your Netlify team and site settings. How to audit team access

Secure build hooksBuild hook URLs trigger deploys. Treat them as secrets. How to secure build hooks

Review deploy notificationsEnsure notifications go to appropriate channels, not public ones. How to configure notifications

Netlify Functions 3

Add authentication to FunctionsVerify users before processing requests in serverless functions. How to secure Netlify Functions

Validate all inputsCheck request body, headers, and query parameters before processing. How to validate inputs

Implement rate limitingPrevent abuse by limiting requests per IP or user. How to implement rate limiting

Netlify Security Defaults

Netlify provides automatic HTTPS, DDoS protection, and a secure CDN. However, you need to add security headers manually using a _headers file or netlify.toml configuration. Without custom headers, your site misses important protections like CSP and clickjacking prevention.

For sites using Netlify Functions, remember that functions are public endpoints by default. Anyone can call them directly. Always implement authentication and input validation.

How do I add security headers on Netlify?

Create a _headers file in your publish directory (usually public/ or build/). Add headers for all paths using /* or specific paths. Alternatively, add headers in netlify.toml under [[headers]] sections.

Are Netlify environment variables secure?

Netlify environment variables are encrypted and available during build time and in Netlify Functions. They are not automatically exposed to the browser. However, if your build process embeds them in JS bundles, they become public. Use Functions for secret-dependent operations.

How do I protect Netlify deploy previews?

Enable password protection in Site Settings > Access Control, or use Netlify Identity to require login. You can also disable deploy previews entirely if they expose sensitive features before launch.

TL;DR

Quick Checklist (5 Critical Items)

Environment Variables 4

Security Headers 4

Access & Deployment 4

Netlify Functions 3

Netlify Security Defaults

How do I add security headers on Netlify?

Are Netlify environment variables secure?

How do I protect Netlify deploy previews?

Related Articles

Netlify Security Guide

How to Configure Netlify Headers

Vercel Security Checklist

Check Your Netlify Site

Netlify Security Checklist: 15-Item Guide Before Deploying