Secure your Netlify deployments with these essential practices. From environment variables to Edge Functions security.
Verify your app follows these best practices automatically.
Netlify handles infrastructure security, but application security is your responsibility. These practices help you deploy securely on Netlify.
Never commit secrets to your repository. Use Netlify's environment variable management.
Add secrets in Netlify Dashboard → Site Settings → Environment Variables
Use different secrets for Production, Deploy Preview, and Branch Deploy contexts.
Configure context-specific values in Site Settings → Environment Variables
Validate authentication and authorization in every serverless function.
Check JWT/session validity and user permissions at function start
Add CSP, HSTS, and other security headers via _headers file or netlify.toml.
Create _headers file in publish directory or add headers to netlify.toml
Deploy previews are public by default. Add protection for sensitive sites.
Use password protection or identity-based access control
If using Netlify Graph, restrict which APIs are accessible and validate requests.
Configure allowed operations and validate caller identity
Exposes production secrets in previews
Use context-specific values for sensitive variables
Anyone with the URL can call your functions
Validate authentication at the start of every function
Preview URLs can leak unreleased features or test data
Enable access control for deploy previews
Following best practices is the first step. Verify your app is actually secure with a comprehensive security scan.
Scan Your App FreeYes, Netlify encrypts environment variables and only exposes them to your build and functions. They're not visible in logs or client-side code.
Create a _headers file in your publish directory with headers like Content-Security-Policy, or add headers configuration to netlify.toml.
Only if you configure them to. Use context-specific environment variables to ensure previews use staging/test resources.
Last updated: January 2026