Netlify Deployment Launch Security Checklist

TL;DR

Netlify provides secure infrastructure with automatic HTTPS. Your job is to configure environment variables, add security headers via _headers file or netlify.toml, review team access, and verify your app works correctly on the production domain.

Environment Variables 4

Set production environment variablesGo to Site Settings > Build & Deploy > Environment Variables

Use context-specific valuesSet different values for production vs deploy previews

::checklist-item{label="Mark sensitive vars appropriately" description="Use "Sensitive variable" setting to hide values in logs"} ::

Check build logs for exposed secretsReview deploy logs for accidentally printed secrets

Security Headers 4

Create _headers file or use netlify.tomlAdd X-Frame-Options, X-Content-Type-Options, Referrer-Policy

Configure Content Security PolicyStart restrictive and allow only what your app needs

Enable HTTPS redirectIn Site Settings > Domain Management, force HTTPS

Verify headers at securityheaders.comCheck your configuration is working correctly

Access and Functions 3

Review team member accessRemove people who no longer need access

Password protect deploy previews (if needed)Prevent public access to preview deployments

Secure Netlify FunctionsAdd auth checks to any serverless functions

Production Verification 3

Test on production domainVerify everything works on your actual URL

Verify authentication worksLogin, protected routes, and sessions function correctly

Run automated security scanCatch issues you may have missed

How do I add security headers on Netlify?

Create a _headers file in your publish directory or add headers in netlify.toml. Example: /* X-Frame-Options: DENY. Both methods work for static sites and Netlify Functions.

Are Netlify Functions secure?

Netlify Functions run in secure AWS Lambda environments, but you need to add your own authentication checks. They're not protected by default, so verify the request before processing sensitive operations.

Scan Your Netlify Site

Find security issues before launch.