Zesty.io Documentation
Zesty.io Documentation
Zesty.io
Open Source
ATOM Plugin
Start Trial
Introduction
Quick Start Guide
Common Concepts
Glossary
Services
WebEngine
Modes
Environment States & Caching Behaviors
Resource Resolution
View Templating
Parsley
CSS & JS Processing Flow
Head & Meta Tags
30X Redirects
Security
Hybrid CDN Setup
File Proxy
DAM (Media Management)
Accounts UI
Manager UI
EcoSystems
APIs
Overview
Auth API
Accounts API
Instances API
Instant API (Read Only)
GraphQL
Tools & Resources
Guides
Node SDK
Atom IDE Package
Chrome Browser Extension
Headless Code Examples
Salesforce Commerce Cloud
Smart Devices
Community
RFCs/Specs
Powered by GitBook

Security

Authentication headers and Preview Lock protects your preview URL from being freely accessed and misused.

Stage Preview Lock Protection

The WebEngine preview URL is locked from public consumption. As such it will only render if:

  1. The user is logged in and has access to that instance.

  2. A valid password has been provided. This password is set by via the Settings under security , a user may enter the password to start a verified session.

Any instance created on or after Jan 1, 2021 is automatically locked. If your instance is older and you would like Preview Lock Protection, please reach out to support.

Once a user is verified by (via password or their user login session), a unique device imprint cookie ZVerified is created and is used to quickly bypass the preview lock for every network request.

Preview Lock Protection exists to protect your un-published changes and to prevent users from using the preview URL in production.

Preview Lock Protection Password

For Instances created before Jan 1, 2021, contact your account manager, as you will need a setting added to your instance. Once the Preview Lock Password text field has been added your preview URL will be password protected.

Setting a Preview Lock Protection Password

When the preview URL is being accessed by non-authenticated Zesty users, you may set a Preview Lock Password which prompts an unauthenticated user to enter a password. They may try 5 times before being locked out.

Linking with a Password

If the ability to pass the preview lock password as a get parameter is required for internal sharing or for internal authenticated workflow (Jira, Private Github, Etc), then a password can be passed with the zpw query param like:

https://HASH-dev.webengine.zesty.io/?zpw=12345

where 12345 is whatever the preview lock password is. The user that opens that link will be authenticated for their browsing session, and will be able to free view the site without entering a password.

This also works for headless testing against the preview environment.

Production Authentication Headers

Production sites can be blocked by forcing an authorization header to be added to each request likeAuthorization: bearer [SECRET KEY] . Authorization headers can be edited in manager ui > settings > security

Headless Authorization will be applied to Instant, Headless, and GQL APIs.

Full WebEngine Authorization will be applied to every request. This setting will collide with Headless Authorization, therefore, headless authorization needs to be removed when using Full WebEngine authorization.

Adding authorization secret key reflect immediately in production site and will block public access. Pages that are already cached will need to be purged for required authentication to take effect.

Editable in manager ui > settings > security

​

Previous
30X Redirects
Next
Hybrid CDN Setup
Last updated 4 weeks ago
Edit on GitHub
Contents
Stage Preview Lock Protection
Production Authentication Headers