PageCrypt - Password Protect HTML
This tool lets you securely password-protect an HTML file. Unlike other password-protection tools, this tool:
- Has no server-side components (this tool and its password-protected pages run entirely in javascript).
- Uses strong encryption, so the password-protection cannot be bypassed.
All you need to do is choose an HTML file and a password, and your page will be password-protected.
Live Demo (pssst... the live demo password is "hunter2")
Instructions
Step 1. Choose HTML file
Step 2. Choose password
Passwords don't match, try again.
Step 3. Protect!
Done! Check your downloads!
Step 4. Tip me?
Suggested donation is $5 for personal use, or $10-20 for businesses. Honor system!
FAQ
Why do the resulting password-protected HTML documents only work when served via HTTPS?
Due to browser limitations, PageCrypt protected pages only work if served over a secure HTTPS connection (or if the .html file is opened directly from disk). This is because of some technical stuff involving SubtleCrypto and Secure Contexts. To produce html files that work over insecure HTTP connections, please use the legacy version of PageCrypt, which produces larger, less strongly protected documents.
How can this be secure if it's client-side? Can't people just bypass the password?
The HTML gets encrypted using the password, so it is unreadable without the password. An attacker could extract the encrypted document, but it would be an unusable mess until they decrypt it, which can only be done with the original password.
How do I know you're not keeping track of passwords I enter into this tool?
View the source code for this tool (in your browser and/or on GitHub) and you can see for yourself that the password never leaves your computer!
Why would I want to use this instead of a .htaccess user/password prompt?
Standard user/password prompts require you have some sort of privileged access to the server. With Apache for instance, you need to be able to add a .htaccess file to the directory you want to protect. Since this tool produces a standard HTML file, you can host it literally anywhere, even places that don't give you access to the server configuration.
This means you can use this tool to password-protect files without using .htaccess!
Does this encrypt all the CSS/Javascript/Images or only the HTML itself?
This tool only encrypts the HTML document itself. If you inline your CSS/JS, or if you convert your images to data uris, then they will be encrypted too. Otherwise they will just be linked. Since the HTML itself is encrypted though, a visitor without the password will not be able see the URLs of any of the linked resources.
What sort of crypto do you use?
This tool uses the SubtleCrypto JavaScript API for its encryption. First, an encryption key is derived from the password using PBKDF2 and a random salt with 100,000 rounds. Then the HTML is encrypted using AES256.
Is there a way to automate this or use it as a software library?
See Samuel Plumppu's rewrite of PageCrypt, which includes CLI and NPM automation, and NodeJS API support.
In addition, thanks to Zoltán Gálli for this tool's Python CLI, and thanks to Nial Francis for this tool's PowerShell CLI. Contributions welcome!
Finally, see Brent Scott's R-wrapper for PageCrypt. From the project page: "It is very common for R users to knit Rmarkdown documents to HTML docs. This provides an easy way to PageCrypt those documents without leaving R."
More Info
Project by Maximillian Laumeister. The source code and license are available on GitHub.