Our workflow currently has developers working on locally hosted copies of our web application with SVN for source control. We have post-commit hooks that deploy each new revision to a designated staging environment running on a subdomain.
My question is, what is the best way to restrict access to these staging sites so that they can't be stumbled across or god forbid indexed by search engines?
We'd really like to avoid anything IP based, as we have remote developers working unavoidably from dynamic IPs.
I have some initial ideas such as a simple form that you can hit with login credentials to either a) give you an access cookie that's checked for when running in the staging environment, or b) register your current IP address as allowed for a determinate length of time.
If anyone can share ideas, previous experience or best practice it would be very much appreciated
If you're using Apache a simple and very basic protection should be an .htaccess File. If this doesn't satisfy your needs for security, you should think about implementing your own security mechanism.
The best solution is to put your staging server in a closed network and only allow access via a secure VPN.