Protection Schemes

on January 25th, 2019

Let's say you're close to launching a site and the rest of your team, company, or your client wants to preview it first. A common enough scenario to be sure. Let's also say you don't want Google, or anyone else for that matter, seeing it first. Sure, you could use server authentication with htpasswd or something equivalent, but that involves googling where that darn password file goes, how to format it, and so on.

We've been in this situation a hundred times, having our roots in agency work. So we just went ahead and made this easy for you. Statamic 3 has a full-fledged protection config you can enable to block access to certain pages, sections, or even the entire site.

There are three different types of native protection drivers that you can use to create any number of schemes you wish. These are defined in a Laravel-style PHP config file.


// config/statamic/protect.php

return [

    /* The default scheme applies to the entire site. */
    'default' => null,

    /* Supported drivers: "ip_address", "auth", "password" */
    'schemes' => [
        'ip_address' => [
            'driver' => 'ip_address',
            'allowed' => ['']
        'logged_in' => [
            'driver' => 'auth',
            'login_url' => '/login',
            'append_redirect' => true,
        'password' => [
            'driver' => 'password',
            'allowed' => ['spaghetti&meatballs'],
            'form_url' => null,

The Drivers

IP Address

Whitelist the IP Addresses you want to have access, and everyone else will be blocked.

Logged In

Enforce that a visitor must be logged in to the control panel in order to view the page, section, or site.


Set simple passwords that will allow a visitor to gain access with a login-style form.

In this configuration file you can see three schemas set up and ready to go. If you set 'default' => 'password' in this config file, anyone visiting the front-end of your site will be presented with a password form.

Protection Form

Alternatively, you could set protect: password in any entry and have that specific URL locked down. If you want to customize this login form, you can pass the path of a view file or a URL you'd like to redirect the user too, and do your own thing.

Can you build custom drivers?

Of course. We have docs on that and you can read up when the time comes. It's super straightforward.

It's worth noting that this feature only works on Statamic-controlled routes. If you plan to run Statamic inside an existing Laravel application, you'll need another solution for URLs outside of Statamic's grasp.

Hope you like this feature, it's definitely a time saver and it lends itself to a lot of creative and flexible uses.

Jack McDade
Jack McDade, Creator of Statamic
Creator of Statamic

Copyright 2020 Statamic