Security at Netlify
We’re trusted by over 1,000,000 companies and developers to run secure, performant sites and applicationsTalk to an expert
A global platform that is secure by design
- SOC 2 Type 2
Reduced attack surface
Across our global Edge, content deployed to the edge nodes is fully prerendered and static, offering no active processes or surface area for attack.
Application code runs on Netlify's build infrastructure (prior to deployment) and when using cloud functions (in production). Both environments are ephemeral, spinning up new, temporary containers just long enough to execute each task. That means there are no idle environments to attempt to exploit, and limited exposure to public networks.
SOC 2 and PCI compliant
Netlify undergoes a SOC 2 type 2 audit annually, performed by an independent auditor. (Our enterprise customers can request a full audit report.) Netlify is PCI compliant for all SAQ-A requirements to safely process credit card transactions.
Netlify uses Let's Encrypt to provide free HTTPS certificates for every domain deployed. You can also bring and install your own certs.
Vetted, top-tier cloud providers
Netlify deploys only to major cloud providers who regularly undergo extensive security audits and certifications.
We work closely with security researchers
We welcome close collaboration with the worldwide security research community.
Checked. And double-checked.
Active DDoS mitigation
Netlify monitors for traffic pattern anomalies and spikes, and effectively controls for them as needed.
Netlify regularly performs third-party penetration tests and engages the wider security community. We do not offer testing as a service for the infrastructure, and the ability to run such tests or view reports on our own testing are reserved for customers on our Enterprise tier.
All traffic over our networks is TLS encrypted and all sensitive information like access tokens are encrypted at rest.
Netlify leverages globally-distributed data center partners that comply with leading security policies and frameworks.
Integrate Netlify into your organization with Single Sign-on
Teams can sign in to the Netlify UI with G Suite, Okta, OneLogin, Ping Identity, or most identity providers that support SAML 2.0.
Verify team members with two-factor authentication
Protect access to your Netlify account by requiring a time-based passcode from an app like Authy or Google Authenticator before allowing access.
Control who can do what
Users added to your Netlify account can be given access to all sites within the team, or only specific sites. You can restrict who can create sites, edit site settings, add or remove team members, manage billing information and more.
Audit every action
Netlify audit logs provide transparency into the different actions taken by team members on various team and site settings.
Audit logs provide an overview and historical log of nearly every action that can be taken by your team members.
Manage signups, logins, password recovery, and more — all without rolling your own authentication service.
Register and authenticate visitors to your site so you can gate content, enable CMS functionality, make authenticated calls to outside services, and more. Securely integrate with any service that understands JSON Web Tokens.
- Authenticate users using Netlify Identity
- Authorize users to view different parts of the site
- Redirect users based on their permissions or location
- Password protect the entire site or part of it
Want to learn more
about security at Netlify?
Work with one of our engineers to assess your security needs and determine the unique requirements of your application.