Password protection for static pages
This simple HTML document helps you protecting static pages or whole websites with no server configuration required: you can now use Dropbox, Amazon S3 or any generic hosting service to host a private, password protected site.
This small project is a byproduct of my Tumbless blogging platform project.
Note: This is a forked version which removes dependencies to external SHA library and jQuery. The only file that is required to copy is the index.html
.
Setup
- Upload the
index.html
document to your static hosting service. - Use
echo -n "secret" | sha256sum
orecho -n "secret" | openssl dgst -sha256
to generate the password - Create a folder with that name next to the
index.html
file - Upload the content that you want to protect inside the folder
The final structure will be:
- index.html
- this-is-a-hash <-- the SHA256 hash of your password
\ - index.html <-- your original index document
Is this secure?
Pretty much secure, please consider that:
- If your hosting service offers directory listing, a visitor can bypass the protection.
- there's no protection against brute force attack. Pick a very long and hard to guess password.
- The password's hash is part of the URI. Enforce HTTPS to avoid man in the middle attacks.
Troubleshooting
- Test the demo page in your browser with password 'secret'
- Deploy the whole repo on your hosting, and test again.