Access Control

This article describes how much access external users have to your sites built on Gatsby Cloud.

This guidance only applies to CMS Previews, Production Builds and Pull Request Builds URLs hosted on Unified Hosting. For access control to work, Unified Hosting MUST be enabled(Site Settings > Builds > Unified Hosting) and Gatsby Hosting disabled(Site Settings > Hosting > Gatsby Hosting) 

Public Access

By default, all  builds are publicly accessible to anyone who has the URL. We set an x-robots-tag: none header to prevent search engines from crawling your site.

Enabling Access Control

To enable access control, go to Site Settings > General > Access Control, then click the Edit button.

There are three options for controlling access to your site:

• Public (default): Any can view your site's Preview and Builds
• Password protected: a password (set by you) is required to view any Preview or Build
• Login required: Use this setting if you want to require a user to have a Gatsby Cloud account in order to view Previews and Builds. They will only have access if they are added as an Editor or Viewer via Member Management.
• IP range protected: Restrict access by a comma separated list of IPv4, IPv6, or CIDR ranges.
  
  • i.e. "123.123.123.123, 111.111.111.11/111, 2001:0db8:85a3:0000:0000:8a2e:0370:7334"
  • This option is only available to Enterprise tier organizations.

Trigger a build after enabling access control if not the site will return a 404 error. 

Gatsby Hosting Considerations

Gatsby Hosting (e.g. your site on the gatsbyjs.io domain and your custom domain) is not protected by access control settings. If you have Gatsby Hosting enabled, your site will always be indexable by search engines and publicly accessible to anyone that has the URL. If you want to limit access completely, you must disable Gatsby Hosting until you are ready to go public with your site. You can upvote the feature request for access control to restrict sites hosted on Gatsby Cloud.