Skip to content
Robert's Engineering Notes

Global Access Control

Starlight sites are static by default. For private notes, add a gate in front of the site.

Option 1: Cloudflare Access (fastest)

Section titled “Option 1: Cloudflare Access (fastest)”
  • Put site behind Cloudflare Zero Trust.
  • Allow only selected emails, domains, or identity providers.
  • Keep static hosting simple while blocking anonymous users.

Option 2: Host-level password/auth

Section titled “Option 2: Host-level password/auth”
  • Netlify Identity, Vercel middleware + provider, or basic auth at reverse proxy.
  • Good for small private audiences.

Option 3: App-level auth

Section titled “Option 3: App-level auth”
  • Use Astro middleware with Auth.js or custom OAuth checks.
  • Useful when mixing public pages and private pages in same site.
Section titled “Recommended path”
  1. Start public while content is non-sensitive.
  2. Move to Cloudflare Access when publishing private/internal notes.
  3. Add app-level auth only if you need per-page or per-role rules.