Site Factory

Protecting sites with HTTP authentication

On occasion, you want to control who can visit your website while under development:

  • You want only the team working on your website to see the website.

  • You want to block search engine crawlers or robots not respecting your robots.txt file.

The Site Factory HTTP authentication feature provides an extra measure of protection to prevent exposing your hosted websites to unauthorized visitors, while still providing access to users who are working on the websites.

To give HTTP authentication protection, Site Factory uses the Drupal Shield module to require website visitors to enter a username and password to view your website. The Site Factory Management Console can enable the Shield module for your websites requiring HTTP authentication.


HTTP authentication is intended for non-primary websites in an Site Factory site collection. The HTTP authentication feature in Site Factory doesn’t distinguish between production and non-production environments.

HTTP authentication is set to be enabled/disabled across all stacks in a subscription. If a user enables the feature, it will be enabled in the same configuration for all stacks.


To use HTTP authentication, you must add the Shield module to your Site Factory codebase.

Enabling HTTP authentication requirements

All users who visit a non-primary website in a site collection protected by HTTP authentication must enter the same user name and password to view the website.

To require HTTP authentication for your Site Factory non-primary websites:

  1. Sign in to the Site Factory Management Console using an account with the platform admin role.

  2. In the admin menu, click Administration, and then, under Site Factory management, click the Require HTTP authentication link.

  3. Click the Require HTTP authentication checkbox, and then enter values in the following fields:

    • Default site guard message: Displayed to website visitors in the HTTP authentication login dialog box

    • HTTP authentication user name: User name required to access the protected websites

    • HTTP authentication password: Password required to access the protected websites

  4. Click Save.

Existing site collections aren’t instantly protected by HTTP authentication. HTTP authentication occurs the first time a domain name or primary website status changes within the site collection.

Site collections and HTTP authentication

If a site collection has a custom domain name, HTTP authentication applies to all secondary websites in the site collection. If a site collection doesn’t have a custom domain name, HTTP authentication applies to both primary and secondary websites.

Maintenance mode comparison

As an alternative to using the Shield module to require HTTP authentication, you must configure your website to use maintenance mode. Maintenance mode blocks access to non-authorized users so only administrators can sign in to your websites. Lower-level content managers who aren’t administrators can’t sign in to websites in maintenance mode.