Basic authentication

Basic authentication is a simple way of protecting a website at the edge. Users enter a username and password combination to access pages protected by basic authentication. You can use basic authentication to restrict access to low-risk assets like testing and staging environments.


Basic authentication shouldn't be used to restrict access to sensitive information. See the security considerations section for more information.

Implementing basic authentication

Follow our HTTP basic auth example to implement basic authentication using custom VCL or Compute.

Using basic authentication with GCS

To use basic authentication with Google Cloud Storage (GCS) as a origin server, add a request header to delete the http.Authorization header and prevent it from being sent to GCS. That header causes GCS to respond with a "Not Authorized" message instead of your request.

Security considerations

There are several security considerations you should take into account before using basic authentication:

  • Basic authentication can't protect high-risk information. Don't use it to restrict access to sensitive information.
  • If you're not using TLS, the password will be transmitted over the wire in Base64 encoding. The encoded string could easily be captured using an application like Wireshark and converted to plaintext.
  • The password is cached by the user's web browser, and it can be permanently saved by the user's web browser.

Using access control lists

As an alternative to basic authentication, you can use access control lists (ACLs) to restrict access to your assets by allowlisting a set of IP addresses. To allowlist IP addresses with an ACL, add custom VCL to Fastly's boilerplate VCL.

1# Who is allowed access ...
2acl local {
3 "localhost";
4 ""/24; /* and everyone on the local network */
5 ! ""; /* except for the dial-in router */

See our ACL guides for more information.

Was this guide helpful?

Do not use this form to send sensitive information. If you need assistance, contact support. This form is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.