[{"data":1,"prerenderedAt":384},["ShallowReactive",2],{"blog-prompts/netlify-security-config":3},{"id":4,"title":5,"body":6,"category":363,"date":364,"dateModified":365,"description":366,"draft":367,"extension":368,"faq":369,"featured":367,"headerVariant":370,"image":369,"keywords":369,"meta":371,"navigation":372,"ogDescription":373,"ogTitle":369,"path":374,"readTime":369,"schemaOrg":375,"schemaType":376,"seo":377,"sitemap":378,"stem":379,"tags":380,"twitterCard":382,"__hash__":383},"blog/blog/prompts/netlify-security-config.md","Netlify Security Configuration with AI Prompts",{"type":7,"value":8,"toc":353},"minimark",[9,16,21,29,74,78,85,148,158,162,165,229,233,236,275,284,300,304,307,327,341],[10,11,12],"tldr",{},[13,14,15],"p",{},"Netlify provides free HTTPS but you configure headers and security settings via _headers file or netlify.toml. Environment variables go in the dashboard, and Netlify Functions need their own security considerations. These prompts cover secure Netlify configuration.",[17,18,20],"h2",{"id":19},"security-headers-via-_headers","Security Headers via _headers",[13,22,23,24,28],{},"Copy this prompt to generate a complete ",[25,26,27],"code",{},"_headers"," file for your Netlify site. Your AI will produce security headers (CSP, X-Frame-Options, Referrer-Policy), caching rules for static assets, and CORS configuration for API routes.",[30,31,33,36,39,42,47,50,54,57,61,71],"prompt-box",{"title":32},"Configure _headers File",[13,34,35],{},"Add security headers to my Netlify site using _headers file.",[13,37,38],{},"Create _headers in your publish directory (usually public/ or dist/):",[13,40,41],{},"/*\nX-Frame-Options: DENY\nX-Content-Type-Options: nosniff\nReferrer-Policy: strict-origin-when-cross-origin\nPermissions-Policy: camera=(), microphone=(), geolocation=()\nContent-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'; frame-ancestors 'none';",[43,44,46],"h1",{"id":45},"cache-static-assets","Cache static assets",[13,48,49],{},"/assets/*\nCache-Control: public, max-age=31536000, immutable",[43,51,53],{"id":52},"dont-cache-html","Don't cache HTML",[13,55,56],{},"/*.html\nCache-Control: public, max-age=0, must-revalidate",[43,58,60],{"id":59},"api-routes-might-need-different-headers","API routes might need different headers",[13,62,63,64,70],{},"/api/*\nAccess-Control-Allow-Origin: ",[65,66,67],"a",{"href":67,"rel":68},"https://mysite.com",[69],"nofollow","\nAccess-Control-Allow-Methods: GET, POST, OPTIONS",[13,72,73],{},"Note: Netlify adds HSTS automatically for sites with HTTPS enabled.",[17,75,77],{"id":76},"headers-via-netlifytoml","Headers via netlify.toml",[13,79,80,81,84],{},"Use this prompt to configure security headers, redirects, and environment-specific settings in ",[25,82,83],{},"netlify.toml",". Your AI will generate the TOML configuration with per-path header rules, SPA routing, HTTPS enforcement, and deploy context overrides.",[30,86,88,91,94,102,108,112,115,119,132,136,142],{"title":87},"Configure netlify.toml",[13,89,90],{},"Configure security headers in netlify.toml.",[43,92,83],{"id":93},"netlifytoml",[13,95,96,97,101],{},"[[headers]]\nfor = \"/*\"\n",[98,99,100],"span",{},"headers.values","\nX-Frame-Options = \"DENY\"\nX-Content-Type-Options = \"nosniff\"\nReferrer-Policy = \"strict-origin-when-cross-origin\"\nPermissions-Policy = \"camera=(), microphone=(), geolocation=()\"",[13,103,104,105,107],{},"[[headers]]\nfor = \"/assets/*\"\n",[98,106,100],{},"\nCache-Control = \"public, max-age=31536000, immutable\"",[43,109,111],{"id":110},"redirects-for-spa","Redirects for SPA",[13,113,114],{},"[[redirects]]\nfrom = \"/*\"\nto = \"/index.html\"\nstatus = 200",[43,116,118],{"id":117},"force-https-redirect","Force HTTPS redirect",[13,120,121,122,126,127,131],{},"[[redirects]]\nfrom = \"",[65,123,124],{"href":124,"rel":125},"http://example.com/",[69],"*\"\nto = \"",[65,128,129],{"href":129,"rel":130},"https://example.com/:splat",[69],"\"\nstatus = 301\nforce = true",[43,133,135],{"id":134},"environment-specific-config","Environment-specific config",[13,137,138,141],{},[98,139,140],{},"context.production.environment","\nNODE_ENV = \"production\"",[13,143,144,147],{},[98,145,146],{},"context.deploy-preview.environment","\nNODE_ENV = \"preview\"",[149,150,151],"warning-box",{},[13,152,153,157],{},[154,155,156],"strong",{},"Deploy previews are public by default:"," Anyone with the URL can access them. Use Netlify's password protection or branch deploy settings to restrict access to preview deployments containing sensitive features.",[17,159,161],{"id":160},"environment-variables","Environment Variables",[13,163,164],{},"Paste this prompt to get a step-by-step guide for securely managing Netlify environment variables. Your AI will explain scoping by deploy context (production vs preview), the difference between build-time and runtime variables, and how to keep secrets out of your client bundle.",[30,166,168,171,174],{"title":167},"Secure Environment Variables",[13,169,170],{},"Set up secure environment variables in Netlify.",[13,172,173],{},"Best practices:",[175,176,177,181,199,213,219],"ol",{},[178,179,180],"li",{},"Use Netlify Dashboard for secrets:\nSite settings > Environment variables\nNever commit secrets to netlify.toml!",[178,182,183,184],{},"Scope variables by context:",[185,186,187,190,193,196],"ul",{},[178,188,189],{},"Production: Real credentials",[178,191,192],{},"Deploy Preview: Test credentials",[178,194,195],{},"Branch deploy: Environment-specific",[178,197,198],{},"Local development: .env file (gitignored)",[178,200,201,202,205,206,210,212],{},"Build vs Runtime variables:\nBuild time: Available during build (can be baked into JS)\nRuntime: Only available in Netlify Functions",[203,204],"br",{},"// Build time - will be in client bundle!\nREACT_APP_API_URL=",[65,207,208],{"href":208,"rel":209},"https://api.example.com",[69],[203,211],{},"// Runtime only - safe for secrets\nDATABASE_URL=postgresql://... (only in Functions)",[178,214,215,216,218],{},"Don't expose secrets to frontend:\n// Netlify Functions access process.env directly\nexports.handler = async () => {\nconst secret = process.env.API_SECRET; // Safe\n};",[203,217],{},"// Frontend code - DON'T use secrets here!",[178,220,221,222,224,225,228],{},"Using in netlify.toml (non-sensitive only):\n",[98,223,140],{},"\nAPI_ENDPOINT = \"",[65,226,208],{"href":208,"rel":227},[69],"\"",[17,230,232],{"id":231},"netlify-functions-security","Netlify Functions Security",[13,234,235],{},"Copy this prompt to harden your Netlify Functions against abuse. Your AI will add HTTP method validation, origin checking, rate limiting patterns, input parsing, and proper security headers to your function responses.",[30,237,239,242,245,248,263,266,269,272],{"title":238},"Secure Netlify Functions",[13,240,241],{},"Secure my Netlify Functions from abuse.",[13,243,244],{},"// netlify/functions/api.js",[13,246,247],{},"exports.handler = async (event, context) => {\n// 1. Validate HTTP method\nif (event.httpMethod !== 'POST') {\nreturn { statusCode: 405, body: 'Method not allowed' };\n}",[13,249,250,251,262],{},"// 2. Validate origin (CORS at function level)\nconst origin = event.headers.origin;\nconst allowedOrigins = ",[98,252,253,254,257,258,253],{},"'",[65,255,67],{"href":67,"rel":256},[69],"', '",[65,259,260],{"href":260,"rel":261},"https://www.mysite.com",[69],";\nif (!allowedOrigins.includes(origin)) {\nreturn { statusCode: 403, body: 'Forbidden' };\n}",[13,264,265],{},"// 3. Rate limiting with Netlify Blobs or external service\n// (Netlify doesn't have built-in rate limiting)",[13,267,268],{},"// 4. Validate input\nlet body;\ntry {\nbody = JSON.parse(event.body);\n} catch {\nreturn { statusCode: 400, body: 'Invalid JSON' };\n}",[13,270,271],{},"// 5. Use environment variables for secrets\nconst apiKey = process.env.API_KEY; // Safe - server only",[13,273,274],{},"// 6. Set security headers on response\nreturn {\nstatusCode: 200,\nheaders: {\n'Content-Type': 'application/json',\n'Access-Control-Allow-Origin': origin,\n},\nbody: JSON.stringify({ success: true }),\n};\n};",[276,277,278],"tip-box",{},[13,279,280,283],{},[154,281,282],{},"Pro tip:"," Use Netlify's built-in forms carefully - they're powerful but can be abused. Enable spam filtering and consider using honeypot fields or reCAPTCHA for public forms.",[285,286,287,294],"faq-section",{},[288,289,291],"faq-item",{"question":290},"How do I password protect my entire site?",[13,292,293],{},"Use Netlify's password protection feature (Pro plan) at Site settings > Access control > Password protection. For free plans, implement basic auth in a Netlify Function or use edge functions.",[288,295,297],{"question":296},"Are my Netlify Functions secure by default?",[13,298,299],{},"Functions are publicly accessible by default. Add authentication, input validation, and rate limiting. Environment variables are secure and only available server-side in Functions.",[17,301,303],{"id":302},"further-reading","Further Reading",[13,305,306],{},"Want to understand the vulnerability before fixing it? These guides explain what's happening and why.",[185,308,309,315,321],{},[178,310,311],{},[65,312,314],{"href":313},"/blog/vulnerabilities/exposed-api-keys","Understanding exposed API keys",[178,316,317],{},[65,318,320],{"href":319},"/blog/how-to/hide-api-keys","How to hide API keys step-by-step",[178,322,323],{},[65,324,326],{"href":325},"/blog/best-practices/secrets","Secret management best practices",[328,329,330,336],"related-articles",{},[331,332],"related-card",{"description":333,"href":334,"title":335},"Header reference","/blog/prompts/add-security-headers","Add Security Headers",[331,337],{"description":338,"href":339,"title":340},"Alternative platform","/blog/prompts/vercel-security-config","Vercel Security Config",[342,343,346,350],"cta-box",{"href":344,"label":345},"/","Start Free Scan",[17,347,349],{"id":348},"audit-your-netlify-config","Audit Your Netlify Config",[13,351,352],{},"Scan your Netlify deployment for security misconfigurations.",{"title":354,"searchDepth":355,"depth":355,"links":356},"",2,[357,358,359,360,361,362],{"id":19,"depth":355,"text":20},{"id":76,"depth":355,"text":77},{"id":160,"depth":355,"text":161},{"id":231,"depth":355,"text":232},{"id":302,"depth":355,"text":303},{"id":348,"depth":355,"text":349},"prompts","2026-02-19","2026-03-06","AI prompts to configure Netlify security settings. Set up headers, environment variables, and serverless functions securely on Netlify.",false,"md",null,"cyan",{},true,"AI prompts to secure your Netlify deployment.","/blog/prompts/netlify-security-config","[object Object]","BlogPosting",{"title":5,"description":366},{"loc":374},"blog/prompts/netlify-security-config",[381],"Deployment","summary_large_image","J0mf9fMsA7aOxICJOxVAKzmWzjvdVEtyKhj6c9J0osc",1775843938517]