Sanity Studio Open to the Public: 4-Step Lockdown

Sanity Studio's default embedded mode is fantastic for developers and disastrous for production if you deploy the public site and forget to configure auth on the studio path.

Check

curl -sI https://your-app.com/studio | grep -i x-sanity

If you get a 200 with no auth challenge, anyone can read and mutate your content dataset.

Checklist

1. sanity.config.ts → auth — require at least mode: "replace" with a login provider.
2. Deploy with useCdn: false on the public consumer side so uncached mutations surface immediately.
3. Roles on Sanity.io → the "Viewer" role shouldn't have access to the schema editor. Audit per-team-member.
4. Embedded Studio in your Next.js bundle? Move to a separate subdomain with its own middleware — studio.yourapp.com — so you can block public IPs.

What attackers usually do

They won't delete content — they'll add an invisible sanityImageReference document that poisons your homepage hero with their URL. Takes 90 seconds from "studio reachable" to "brand takeover."