Netlify Security Checklist
Last updated: January 12, 2026
Use this checklist to ensure your Netlify application is secure before launch. 4 critical items require immediate attention.
Why This Security Checklist Matters
Security checklists serve as systematic guides for identifying vulnerabilities that might otherwise be overlooked during rapid development cycles. For Netlify applications specifically, this checklist addresses the most common security gaps that emerge when using AI-assisted development workflows.
Research from multiple security organizations indicates that approximately 80% of AI-built applications contain at least one exploitable vulnerability at launch. The vulnerabilities are often predictable—they follow patterns that this checklist is designed to catch. By systematically reviewing each item, you significantly reduce the risk of launching an insecure application.
Unlike generic security checklists, this guide focuses specifically on vulnerabilities prevalent in Netlify applications. Each item has been prioritized based on real-world attack patterns and the potential impact of exploitation. Critical items should be addressed before any production deployment.
Critical Priority
Critical items can lead to complete application compromise, data breaches, or unauthorized access to all user accounts. These must be addressed before deploying to production. Attackers actively scan for these vulnerabilities.
High Priority
High priority items represent significant security risks that could allow unauthorized access to sensitive data or functionality. While not immediately catastrophic, these vulnerabilities should be fixed as soon as possible.
Medium/Low Priority
Medium and low priority items strengthen your overall security posture. While they may not be immediately exploitable, addressing them prevents attack chains and defense-in-depth gaps.
Manual vs Automated Security Checking
While manual security reviews are thorough, they're time-consuming and prone to human error. Automated scanning catches common vulnerabilities instantly, freeing you to focus on business logic and complex security decisions.
Items VAS Automates
- Exposed API keys and secrets in JavaScript bundles
- HTTP security header configuration
- Supabase RLS policy testing
- Firebase Security Rules validation
- Cookie security attributes
Manual Review Still Required
- Business logic vulnerabilities
- Custom authentication implementations
- Access control logic in API routes
- Data validation requirements
- Third-party integration security
Security Headers
Create _headers file
AutoAdd security headers in a _headers file in your publish directory
Configure Content-Security-Policy
AutoDefine allowed sources for scripts, styles, and other resources
Enable HSTS
AutoAdd Strict-Transport-Security header to force HTTPS
Set X-Frame-Options
AutoPrevent clickjacking with DENY or SAMEORIGIN
Add security headers via netlify.toml
Alternatively configure headers in netlify.toml for version control
Environment Variables
Understand build-time vs runtime variables
Build-time vars are baked into output, runtime vars are only for functions
Scope variables by deploy context
Use different values for production, deploy-preview, and branch-deploy
Don't expose secrets in build output
AutoEnsure sensitive values aren't printed in build logs or bundled into frontend
Use Netlify CLI for local development
netlify dev injects environment variables for local testing
Netlify Functions Security
Authenticate function endpoints
Don't expose sensitive functions without proper authentication
Validate input in functions
Always validate and sanitize data received by serverless functions
Set appropriate timeout limits
Configure function timeout to prevent resource abuse (default 10s)
Use scheduled functions carefully
Scheduled functions run with full permissions - ensure proper security
Deploy Preview Security
Protect deploy previews
Use branch protection or password protect previews for sensitive sites
Configure Identity for access control
Use Netlify Identity to control who can access preview builds
Don't use production data in previews
Connect preview deploys to staging databases, not production
Review deploy preview URLs
Ensure preview URLs aren't indexed or accidentally shared
Don't Check Manually
VAS automatically checks 5 of these 17 items. Get instant results with detailed remediation guidance.
Run Automated Security ScanFrequently Asked Questions
How do I add security headers on Netlify?
Create a _headers file in your publish directory or add headers in netlify.toml. Each line specifies a path and header value. VAS can verify your headers are configured correctly after deployment.
What's the difference between build-time and runtime env vars?
Build-time variables are embedded in your built output and visible in client-side code. Runtime variables are only available in Netlify Functions. Never put secrets in build-time variables that get bundled into frontend code.