Lock Environments with the Dashboard Security Tool

Learn how to use the Security tool in the Site Dashboard to keep your work hidden from the public for Drupal or WordPress site development.


There are occasions while you are working on your site that you would like to keep your progress hidden from the world as you prepare to go live or make updates.

This can be done by putting a username and password on the environment, similar to basic authentication on Apache. Visitors will be prompted to authenticate before the site is served.

Lock environment

Password Protect Your Site's Environments

You have the ability to password protect any of the available environments.

  1. Select the environment (e.g., Dev).
  2. Select Security.
  3. Select Locked.
  4. Provide a username and password.
  5. Click Lock Environment.

If other members of your team on the site need to access the site, they will also be able to view the authentication credentials when they log in to their accounts.

Credentials

Now when your page refreshes you will notice that the environment is now "Private". You will also be able to see the credentials needed to access that environment.

You can set a different username and password for each environment. This is important if you only want the Live site publicly viewable, while Dev and Test can be private as you work on your code and content.

To verify that everything is working correctly, visit the URL of the environment that you have made private. You should see an authentication form where you can enter the username and password for that environment to start your session.

Locked site example

If you'd like to customize the lock page that displays beneath the authentication form, you can add a locked.html file in your site's root directory.

Unlock a Site's Environment

When you are ready to make your environment public again, click Security on your Site Dashboard. Next to Environmental Access, click Public. This will clear the credentials you entered and make the web accessible resources available without a basic authentication prompt.

Scripting Site Locking Operations

Your site may also be locked and unlocked using Terminus.

To lock a site:

terminus lock:enable <site>:<env> -- user password

To unlock a site:

terminus lock:disable <site>:<env>

Troubleshooting

Drupal HTTP Authentication Module

The HTTP Basic Authentication core module (Drupal 8) and Basic HTTP Authentication contrib module (Drupal 7) conflict with Pantheon's Security tool if both are enabled. We recommend using Pantheon's Security tool within the Site Dashboard on target environments, or the module to restrict access, not both.

Sites that have the environment locked on Pantheon in addition to enabling the module will experience 403 errors. You can resolve these errors by unlocking the environment in the Site Dashboard, clearing cache, then disabling the module in Drupal's admin interface. Once you've disabled the module you can safely lock the environment on Pantheon.

Alternatively, you can resolve 403 errors by using Terminus to disable the module:

terminus remote:drush <site>:<env> -- pm-uninstall basic_auth -y
terminus remote:drush <site>:<env> -- pm-disable basic_auth -y