Password Pptection Configuration

Secure your static sites with password authentication

Advanced Configuration

Needs to be in your traefik configi:

authCookieDuration: 14400  # 4 hours in seconds

Recommendations:

  • Public sites: 1-4 hours (3600-14400)
  • Private sites: 8-24 hours (28800-86400)
  • Internal sites: 7 days (604800)
openssl rand -base64 32
authSecretKey: "your-random-secret-here"

Login Page

When users visit a password-protected site, they see:

  • 🔍 Repository name displayed
  • ⚠️ Error messages for wrong passwords
  • ⌨️ Auto-focus on password field
  • 🔒 Secure HTTPS-only form submission

How It Works

  1. User visits protected site
  2. Plugin checks for authentication cookie
  3. No cookie found → Show login page
  4. User enters password
  5. Password hashed with SHA256
  6. Hash compared with stored hash
  7. Match → Set signed cookie, redirect to site
  8. No match → Show error message

Security Features

Password Hashing

  • Passwords stored as SHA256 hashes in .pages file
  • Original password never stored
  • One-way hashing prevents password recovery
  • HttpOnly: JavaScript cannot access cookies (XSS protection)
  • Secure: Only sent over HTTPS connections
  • SameSite=Strict: Prevents CSRF attacks
  • HMAC Signature: Prevents cookie tampering (when authSecretKey configured)

Cache TTL

  • Password hashes cached for 60 seconds
  • Reduces .pages file reads
  • Automatic cache refresh every minute
  • No password stored in cache (only hash)

Multiple Protected Sites

Each repository gets its own authentication:

Cookie: pages_auth_username_repo1  # For repo1
Cookie: pages_auth_username_repo2  # For repo2

Users must authenticate separately for each protected repository.

High Security (Short Duration)

Traefik config:

authCookieDuration: 1800  # 30 minutes
authSecretKey: "long-random-secret-key"