Basic authentication

      Last updated April 16, 2021

    Basic authentication is a simple way of protecting a website at the edge. Users enter a username and password combination to access pages protected by basic authentication. You can use basic authentication to restrict access to low-risk assets like testing and staging environments.

    Using VCL or Compute@Edge

    Basic authentication can be implemented using custom VCL, VCL Snippets, or Compute@Edge. See our HTTP basic auth example for details.

    Using basic authentication with GCS

    To use basic authentication with Google Cloud Storage (GCS) as a origin server, add a request header to delete the http.Authorization header and prevent it from being sent to GCS. That header causes GCS to respond with a "Not Authorized" message instead of your request.

    Security considerations

    There are several security considerations you should take into account before using basic authentication:

    Using access control lists

    As an alternative to basic authentication, you can use access control lists (ACLs) to restrict access to your assets by allowlisting a set of IP addresses. To allowlist IP addresses with an ACL, add custom VCL to Fastly's boilerplate VCL.

    # Who is allowed access ...
    acl local {
        ""/24; /* and everyone on the local network */
        ! ""; /* except for the dial-in router */

    See our ACL guides for more information.

    Back to Top