Password protection for static pages

This simple HTML document helps you protecting static pages or whole websites with no server configuration required: you can now use Dropbox, Amazon S3 or any generic hosting service to host a private, password protected site.

This small project is a byproduct of my Tumbless blogging platform project.

Setup

  1. Upload the index.html document and the background image to your static hosting service.
  2. Load it up in your browser, enter the password of your choice
  3. It will show "wrong password", never mind. Copy the section of the URL after the # sign.
  4. Create a folder with that name next to the index.html file
  5. Upload the content that you want to protect inside the folder

The final structure will be:

- index.html
- background.jpg
- this-is-a-hash      <-- the SHA1 hash of your password               
  \ - index.html      <-- your original index document

Is this secure?

Pretty much secure, please consider that:

  1. If your hosting service offers directory listing, a visitor can bypass the protection.
  2. there's no protection against brute force attack. Pick a very long and hard to guess password.
  3. The password's hash is part of the URI. Enforce HTTPS to avoid man in the middle attacks.

Troubleshooting

  1. Test the demo page in your browser with password 'secret'
  2. Deploy the whole repo on your hosting, and test again.