Web development platform for modern sites
Netlify handles static site hosting, serverless functions, and form handling. Security risks include exposed serverless function endpoints, insecure form handling, and misconfigured redirect rules that can be exploited.
Netlify Functions at /.netlify/functions/* are publicly accessible by default.
Add authentication checks inside every function. Never rely on obscurity.
Netlify's built-in form handling can be abused for spam if not protected.
Add honeypot fields and enable reCAPTCHA on Netlify Forms.
Misconfigured redirect rules can enable open redirect attacks.
Validate redirect destinations. Avoid wildcard redirects to external domains.
Default Netlify deployments don't include CSP headers.
Add security headers via netlify.toml or _headers file.
Build commands that echo environment variables can leak secrets in public build logs.
Never echo secrets in build scripts. Mark sensitive logs as restricted.
Use Netlify's environment variable scoping to prevent staging secrets from leaking to production.
Always authenticate inside your serverless functions — URL obscurity is not security.
Add a _headers file to your site root for easy security header configuration.