How are you protecting your staging environment(s) for your web apps?

Question

By "staging environment" I'm referring to any non-production environment that you need to access over HTTPS, either ephemeral or long-living and potentially shared.Are you using basic auth? If so, how are you managing usernames & passwords?Are you using a VPN?Are you using something else?

igorzij · Accepted Answer

Typically the entire stack is copied so that you have the exact same setup, including auth, as in production. Basic auth isn't a great idea unless your production is using basic auth too. If you're using some federated login tool like Cognito or Auth0 then you can create smth like an isolated pool of users for each environment, forgot the exact name. VPN only needed if it's a compliance requirement, otherwise nothing wrong in having it public.

stephenr · Answer

We use a cloudflare firewall, and then have a facility for users (i.e. "staff") to add themselves to the whitelist, via a tooling page for each env (which isn't behind the firewall, but does rely on http basic auth).It's not perfect, but I think it works better than what it replaced (logic in the application and a shared 'secret' to access those environments)

nibsfive · Answer

Company SSO and IP allowlist.