Home / Security / Confirm staging and development environments are not publicly accessible
Advanced Operational · Security Ring

Confirm staging and development environments are not publicly accessible

20-30 min Impact: high Effort: low ✓ Manual completion

Confirming staging and development environments are not publicly accessible closes a genuinely common breach vector, a forgotten staging.yoursite.com, often running with weaker security or containing test data, sitting fully exposed to anyone who finds or guesses the URL.

Staging environments are frequently set up quickly without the same security rigor as production, and being forgotten about after the initial development phase is extremely common.

How to do it

  1. 1
    Identify every staging or development environment you have
    Check your DNS records and hosting dashboard for anything beyond your main production site.
  2. 2
    Visit each directly and confirm its actual access level
    Is it genuinely restricted, or fully open to anyone who finds the URL.
  3. 3
    Restrict access appropriately
    IP allowlisting or password protection for anything that needs to remain accessible to your team.
  4. 4
    Decommission anything no longer genuinely needed
    Removing an unused environment entirely is the cleanest fix when it is no longer actively used.

Common mistakes

How you will know it is done

Every staging or development environment is confirmed either properly restricted or decommissioned.

Track this in your hive

The Security Ring turns this into a real, permanent mission — mark it complete once you have genuinely done it.

Open this mission in H.I.V.E. →