IS NETLIFY SAFE?
Netlify makes deployment effortless but ships with minimal security defaults. Missing headers, exposed environment variables, and unprotected serverless functions are common in Netlify projects. This guide covers what you need to lock down before going live.
TOP SECURITY RISKS
Missing Security Headers
Netlify does not add Content-Security-Policy, Strict-Transport-Security, or X-Frame-Options by default. Without these headers, your site is vulnerable to XSS, clickjacking, and man-in-the-middle attacks.
Environment Variables Exposed in Build Logs
Build logs can accidentally print environment variables during the build process. If your CI pipeline echoes commands or a misconfigured script logs its environment, secrets become visible to anyone with deploy access.
Unauthenticated Serverless Functions
Netlify Functions are publicly accessible by default at /.netlify/functions/. Without explicit authentication checks, any attacker can invoke your backend logic directly, bypassing your frontend entirely.
Open Redirects via Redirect Rules
Misconfigured redirect rules in _redirects or netlify.toml can create open redirect vulnerabilities. Attackers use these to craft phishing URLs that appear to originate from your trusted domain.
No Rate Limiting on Functions
Netlify does not provide built-in rate limiting for serverless functions. Without external protection, attackers can abuse your endpoints with automated requests, running up costs and degrading service.
SECURITY CHECKLIST
SCAN YOUR NETLIFY APP
700+ security checks. AI-powered fix prompts. Results in under 2 minutes. Free, no credit card required.
Run free security scanFREQUENTLY ASKED QUESTIONS
Does Netlify add security headers automatically?
No. Netlify does not set Content-Security-Policy, HSTS, or X-Frame-Options by default. You must add them manually via a _headers file or netlify.toml. UNPWNED checks for all missing security headers and tells you exactly which ones to add.
How do I protect my Netlify serverless functions?
Add authentication checks at the top of every function - verify JWTs, API keys, or session tokens before processing requests. UNPWNED scans your function endpoints to detect unauthenticated access and missing rate limiting.
Can my Netlify environment variables leak?
Yes, through build logs, client-side bundles with NEXT_PUBLIC_ or REACT_APP_ prefixed vars, and misconfigured function responses. Scope variables to production only when possible. UNPWNED scans for exposed environment variables and secrets in your deployed site.
How do I add rate limiting to Netlify?
Netlify has no built-in rate limiting. Use Netlify Edge Functions with an in-memory counter, or place Cloudflare or another WAF in front of your site. UNPWNED tests your endpoints for rate limiting and flags any that accept unlimited requests.
Are Netlify deploy previews a security risk?
They can be. Deploy previews are publicly accessible by default and may expose unreleased features or staging data. Enable branch deploy protection and avoid using production secrets in preview environments. UNPWNED can scan both your production and preview URLs.
Data based on 447+ website scans. Last updated: 2026-04-06. Statistics reflect aggregate findings across all scanned websites, not Netlify exclusively.