IMPORTED / GUIDES

HOW TO SECURE NETLIFY - SECURITY GUIDE | VIBEEVAL

Netlify Security Context

Netlify handles TLS, CDN, and basic DDoS automatically. Your residual surface lives in: env vars and their per-context scoping, the _headers and _redirects files (which are deploy-time security configuration), Functions (which are publicly reachable unless you gate them), Forms (which need spam protection), and deploy preview URLs (which bypass any custom-domain auth gate).

Security Checklist

1. Configure environment variables per deploy context

In Site → Site settings → Environment variables: set distinct values for Production / Deploy Previews / Branch Deploys / Local development. Never share the production Stripe key with deploy previews — preview URLs are accessible to anyone with the URL, which means a shared key is a leaked key.

2. Set security headers in _headers

Create or edit _headers in your publish directory:

/*
  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
  X-Frame-Options: DENY
  X-Content-Type-Options: nosniff
  Referrer-Policy: strict-origin-when-cross-origin
  Content-Security-Policy: default-src 'self'
  Permissions-Policy: geolocation=(), camera=(), microphone=()

Verify with the Security Headers Checker.

3. Lock down deploy previews

Site → Site settings → Visitor access → Password protection: enable for deploy previews and branch deploys. Without this, every git push creates a public URL that has the full app — including the routes you only meant production users to see.

4. Audit Netlify Functions for auth

Each netlify/functions/*.ts (or .js) is internet-reachable. The handler must check the session before doing work. For @netlify/functions v2: event.headers['authorization'] and verify your token. Add input validation (Zod) on the body. Set streaming for long responses; set explicit timeouts to bound cost.

5. Configure Netlify Forms securely

If you use Netlify Forms: enable reCAPTCHA (data-netlify-recaptcha="true" on the form element) or honeypot (data-netlify-honeypot="bot-field"). Without spam protection, the form is a free email-spam relay. For sensitive submissions, route to a Function instead and add custom validation.

6. Audit _redirects for open redirects

Open the _redirects file. Look for patterns that obey a query parameter (/redirect?to=:url 302). These are phishing pivots — an attacker constructs a URL pointing to your trusted domain that redirects to their phishing page. Stick to specific source → specific destination. See SSRF / open redirect / OAuth.

7. Enforce HTTPS

Site settings → Domain management → HTTPS → Force HTTPS: on. Test by hitting http://yourdomain.com and confirming the redirect.

8. Audit build logs for leaked secrets

Deploys → [deployment] → Deploy log: search for known secret prefixes (sk_live, service_role, AKIA). A common bug ships when a build script console.logs the env, including secrets, into the public deploy log.

9. Configure team permissions

Team → Members: review quarterly. Owner / Developer / Reviewer / Billing. Developer can deploy and read env vars — keep the list small. Remove ex-team members same-day; rotate sensitive secrets after departure.

10. Enable audit logging

Team Settings → Audit log (Pro+ tier): track deploys, env-var changes, member additions. Useful for incident response.

11. Audit Edge Functions

Netlify Edge Functions run on Deno Deploy. Same security rules as any function: validate inputs, check auth, no secrets in URL params, CORS to your origin. The Edge Function context exposes Netlify.env.get(...) for secrets — never hardcode.

12. Configure Netlify Identity carefully (if used)

If using Netlify Identity (now in maintenance mode for new sites — Auth0 / Clerk are alternatives): set role-based access via the JWT roles claim, gate functions with event.clientContext.user, never trust the client-supplied identity without verifying.

13. Audit Large Media / asset URLs

Files in your published public/ directory are world-readable via the CDN URL. For genuinely private files (user uploads, internal docs), don’t publish to the static directory — use a Function-mediated download with auth check.

14. Verify DDoS / WAF

Netlify provides basic DDoS protection automatically. For larger sites, integrate Cloudflare or another CDN/WAF in front. Confirm the origin is locked to the WAF’s IPs only.

15. Audit split testing

If using Netlify split testing: confirm the variants don’t expose information that should differ per user (a logged-in variant served to logged-out users, a paid-tier variant served to free users).

16. Configure CORS on Functions

For Functions called by your own frontend: don’t add CORS (same-origin works without). For cross-origin: allowlist your specific domain, never * with credentials. See CORS credentials misconfig.

17. Run a security scan

The Vibe Code Scanner catches the deploy-side patterns; the full VibeEval scan adds BOLA, webhook trust, and the rest.

Free Self-Audit Suite

Five free scanners.

Vibe Coding Security Risk Guide

Full risk catalogue.

Solo Founder Pre-Launch Checklist

12 checks before launch.

Automate Your Security Checks

VibeEval scans your Netlify deployment against every category above. Findings ship as paste-ready prompts for your AI editor.

/ NEXT STEP

SCAN YOUR APP

14-day trial. No card. Results in under 60 seconds.

START FREE SCAN