FAQ

How can this be secure if it's client-side? Can't people just bypass the password?

The HTML gets encrypted using the password, so it is unreadable without the password. An attacker could extract the encrypted document, but it would be an unusable mess until they decrypt it, which can only be done with the original password.

How do I know you're not keeping track of passwords I enter into this tool?

View the source code for this tool (in your browser and/or on GitHub) and you can see for yourself that the password never leaves your computer!

Why would I want to use this instead of a .htaccess user/password prompt?

Standard user/password prompts require you have some sort of privileged access to the server. With Apache for instance, you need to be able to add a .htaccess file to the directory you want to protect. Since this tool produces a standard HTML file, you can host it literally anywhere, even places that don't give you access to the server configuration.

This means you can use this tool to password-protect files without using .htaccess!

Does this encrypt all the CSS/Javascript/Images or only the HTML itself?

This tool only encrypts the HTML document itself. If you inline your CSS/JS, or if you convert your images to data uris, then they will be encrypted too. Otherwise they will just be linked. Since the HTML itself is encrypted though, a visitor without the password will not be able see the URLs of any of the linked resources.

What sort of crypto do you use?

Certainly not my own! This tool uses the CryptoJS library for its encryption. First, an encryption key is derived from the password using PBKDF2 and a random salt with 100 rounds. Then the HTML is encrypted using AES256.

Is there a way to automate this or use it as a software library?

Thanks to Zoltán Gálli, this tool has a Python CLI. And thanks to Nial Francis, it has a PowerShell CLI as well. Contributions are always welcome!