Password Protection
Restrict access to your deployed sites with a shared password.
How It Works
When password protection is enabled, visitors must enter a password before they can view your site. After entering the correct password, a session cookie is set and they can browse freely for 7 days.
This is useful for:
- Staging sites — Restrict preview deployments to your team
- Client projects — Share work-in-progress with clients before launch
- Private content — Limit access to internal tools or documentation
Setup
Configure password protection from the dashboard:
- Navigate to your site’s Settings page
- Under Password Protection, choose a scope
- Enter a password (4–128 characters)
- Save
Protection Scopes
| Scope | What’s Protected |
|---|---|
none | No protection (default) |
production | Only the live production deployment |
preview | Only preview deployments (non-current) |
all | Both production and preview deployments |
Via API
# Enable password protection for production
curl -X PATCH -H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{"password": "my-secret", "scope": "production"}' \
"https://api.zerodeploy.dev/sites/my-site/password"
# Disable password protection
curl -X PATCH -H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{"scope": "none"}' \
"https://api.zerodeploy.dev/sites/my-site/password"Visitor Experience
When a visitor accesses a protected site:
- They see a branded password prompt
- They enter the password
- If correct, a session cookie (
__zd_access) is set for 7 days - They can browse the site freely until the session expires
The password prompt page is styled to match ZeroDeploy branding with a clean, minimal design.
Security
- Password hashing — Passwords are hashed with PBKDF2-SHA256 (100,000 iterations) and never stored in plain text
- Rate limiting — 5 attempts per 5 minutes per IP address to prevent brute-force attacks
- Session cookies — HttpOnly, Secure, SameSite=Lax with HMAC-signed tokens
- Timing-safe comparison — Password verification uses constant-time comparison to prevent timing attacks
Password Requirements
- Minimum length: 4 characters
- Maximum length: 128 characters
Changing the Password
When you update the password, all existing sessions remain valid until they expire (up to 7 days). To immediately invalidate all sessions, change the password twice — the session tokens are tied to the password hash.
Plan Limits
| Feature | Free | Pro |
|---|---|---|
| Password protection | — | Included |
| Protection scopes | — | All scopes |
| Session duration | — | 7 days |