Is Netlify Safe?
Netlify itself is safe · SOC 2 certified, DDoS-protected, TLS everywhere. The apps hosted on it are only as secure as their `_headers` file, function auth, and how carefully env vars are scoped.
Known risks
- Missing security headers · Netlify sites don't get CSP, HSTS, or X-Frame-Options by default. Without them, XSS and clickjacking are easier.
- Unauthenticated functions · Netlify Functions are public by default. Any endpoint without an auth check inside the handler is world-accessible.
- Build env vs runtime env confusion · Prefixed vars like `VITE_` are baked into the bundle. It's easy to leak an intended-server secret this way.
How to make it safer
- Add a `_headers` file · Ship CSP, HSTS (`max-age=31536000; includeSubDomains`), and X-Frame-Options: DENY in `public/_headers`.
- Guard functions with a session check · First line of every function: verify the caller's JWT or session cookie. Return 401 otherwise.
- Scan the deployed site · SimplyScan checks headers, exposed keys, and function surface on any Netlify URL.
Frequently asked
Is Netlify safe for production?
Yes · it's a mainstream production host. Your app config, not Netlify, is where security lives or dies.
Does Netlify add security headers automatically?
No. You must add them via `_headers` or `netlify.toml`.
Are Netlify Functions secure?
The runtime is. The handlers you write need auth checks · they're internet-facing by default.
Scan your Netlify app →