[{"data":1,"prerenderedAt":211},["ShallowReactive",2],{"blog-checklists/netlify-security-checklist":3},{"id":4,"title":5,"body":6,"category":186,"date":187,"dateModified":187,"description":188,"draft":189,"extension":190,"faq":191,"featured":189,"headerVariant":196,"image":197,"keywords":197,"meta":198,"navigation":199,"ogDescription":200,"ogTitle":197,"path":201,"readTime":197,"schemaOrg":202,"schemaType":203,"seo":204,"sitemap":205,"stem":206,"tags":207,"twitterCard":209,"__hash__":210},"blog/blog/checklists/netlify-security-checklist.md","Netlify Security Checklist: 15-Item Guide Before Deploying",{"type":7,"value":8,"toc":180},"minimark",[9,16,19,22,47,65,83,101,116,121,124,127,149,168],[10,11,12],"tldr",{},[13,14,15],"p",{},"This 15-item checklist covers critical Netlify security configurations: environment variables, security headers, access control, and Netlify Functions. 5 critical items must be fixed before launch, 6 important items within the first week, and 4 recommended items when you can.",[13,17,18],{},"Netlify handles a lot of infrastructure security for you, which is great, but it also means the security gaps that remain are entirely your responsibility. Misconfigured headers, exposed build secrets, and unprotected serverless functions are the usual culprits. Walk through this list before you flip that deploy to production.",[20,21],"print-button",{},[23,24,26,31,35,39,43],"checklist-section",{"title":25},"Quick Checklist (5 Critical Items)",[27,28],"checklist-item",{"description":29,"label":30},"Never commit secrets to your repository - use Site Settings > Environment Variables","Store secrets in Netlify Environment Variables",[27,32],{"description":33,"label":34},"Avoid embedding secrets in JS bundles - use Functions for secret-dependent logic","Do not expose secrets in build output",[27,36],{"description":37,"label":38},"Verify users before processing requests in serverless functions","Add authentication to Functions",[27,40],{"description":41,"label":42},"Enable password protection for sensitive preview deploys","Protect deploy previews",[27,44],{"description":45,"label":46},"Restrict which sources can load scripts, styles, and other resources","Configure Content-Security-Policy",[23,48,51,54,58,61],{"title":49,"count":50},"Environment Variables","4",[27,52],{"description":53,"label":30},"Site Settings > Environment Variables. Never commit secrets to your repository. How to configure env variables",[27,55],{"description":56,"label":57},"Env vars are available at build time. Only Functions can access them at runtime. How to use Netlify env vars","Understand build vs runtime access",[27,59],{"description":60,"label":34},"Avoid embedding secrets in JS bundles. Use Functions for secret-dependent logic. How to separate client/server keys",[27,62],{"description":63,"label":64},"Use different values for Production, Deploy Previews, and Branch Deploys. How to configure deploy contexts","Set context-specific variables",[23,66,68,72,76,79],{"title":67,"count":50},"Security Headers",[27,69],{"description":70,"label":71},"Add to your publish directory with security headers for all paths. How to create _headers file","Create _headers file",[27,73],{"description":74,"label":75},"Set to DENY or SAMEORIGIN to prevent your site from being embedded in iframes. How to prevent clickjacking","Add X-Frame-Options",[27,77],{"description":78,"label":46},"Restrict which sources can load scripts, styles, and other resources. How to configure CSP",[27,80],{"description":81,"label":82},"Force HTTPS connections with HSTS header. How to enable HSTS","Enable Strict-Transport-Security",[23,84,86,89,93,97],{"title":85,"count":50},"Access & Deployment",[27,87],{"description":88,"label":42},"Enable password protection or Netlify Identity for sensitive preview deploys. How to protect previews",[27,90],{"description":91,"label":92},"Audit who has access to your Netlify team and site settings. How to audit team access","Review team member access",[27,94],{"description":95,"label":96},"Build hook URLs trigger deploys. Treat them as secrets. How to secure build hooks","Secure build hooks",[27,98],{"description":99,"label":100},"Ensure notifications go to appropriate channels, not public ones. How to configure notifications","Review deploy notifications",[23,102,105,108,112],{"title":103,"count":104},"Netlify Functions","3",[27,106],{"description":107,"label":38},"Verify users before processing requests in serverless functions. How to secure Netlify Functions",[27,109],{"description":110,"label":111},"Check request body, headers, and query parameters before processing. How to validate inputs","Validate all inputs",[27,113],{"description":114,"label":115},"Prevent abuse by limiting requests per IP or user. How to implement rate limiting","Implement rate limiting",[117,118,120],"h2",{"id":119},"netlify-security-defaults","Netlify Security Defaults",[13,122,123],{},"Netlify provides automatic HTTPS, DDoS protection, and a secure CDN. However, you need to add security headers manually using a _headers file or netlify.toml configuration. Without custom headers, your site misses important protections like CSP and clickjacking prevention.",[13,125,126],{},"For sites using Netlify Functions, remember that functions are public endpoints by default. Anyone can call them directly. Always implement authentication and input validation.",[128,129,130,137,143],"faq-section",{},[131,132,134],"faq-item",{"question":133},"How do I add security headers on Netlify?",[13,135,136],{},"Create a _headers file in your publish directory (usually public/ or build/). Add headers for all paths using /* or specific paths. Alternatively, add headers in netlify.toml under [[headers]] sections.",[131,138,140],{"question":139},"Are Netlify environment variables secure?",[13,141,142],{},"Netlify environment variables are encrypted and available during build time and in Netlify Functions. They are not automatically exposed to the browser. However, if your build process embeds them in JS bundles, they become public. Use Functions for secret-dependent operations.",[131,144,146],{"question":145},"How do I protect Netlify deploy previews?",[13,147,148],{},"Enable password protection in Site Settings > Access Control, or use Netlify Identity to require login. You can also disable deploy previews entirely if they expose sensitive features before launch.",[150,151,152,158,163],"related-articles",{},[153,154],"related-card",{"description":155,"href":156,"title":157},"Complete guide to Netlify security","/blog/guides/netlify","Netlify Security Guide",[153,159],{"description":160,"href":161,"title":162},"Step-by-step headers setup","/blog/how-to/netlify-env-vars","How to Configure Netlify Headers",[153,164],{"description":165,"href":166,"title":167},"Compare with Vercel security","/blog/checklists/vercel-security-checklist","Vercel Security Checklist",[169,170,173,177],"cta-box",{"href":171,"label":172},"/","Start Free Scan",[117,174,176],{"id":175},"check-your-netlify-site","Check Your Netlify Site",[13,178,179],{},"Our scanner reviews headers, exposed secrets, and common misconfigurations.",{"title":181,"searchDepth":182,"depth":182,"links":183},"",2,[184,185],{"id":119,"depth":182,"text":120},{"id":175,"depth":182,"text":176},"checklists","2026-02-02","Security checklist for Netlify deployments. Check these 15 items to secure your static site or Jamstack application on Netlify.",false,"md",[192,194],{"question":133,"answer":193},"Create a _headers file in your publish directory or add headers in netlify.toml. Include X-Frame-Options, X-Content-Type-Options, Content-Security-Policy, and Strict-Transport-Security headers.",{"question":139,"answer":195},"Netlify environment variables are encrypted and only available during build time and in Netlify Functions. They are not exposed to the browser unless you explicitly include them in your build output.","green",null,{},true,"Security checklist for Netlify. 15 items to check before production deployment.","/blog/checklists/netlify-security-checklist","[object Object]","HowTo",{"title":5,"description":188},{"loc":201},"blog/checklists/netlify-security-checklist",[208],"Security Checklist","summary_large_image","DraYg_gg0ZJ9QrtJsIgGdMpFEgtSngzmTXvEoHbete8",1775843930895]