Page Protection

Page protection restricts access to specific pages on your website. Visitors must enter a password or provide their email address before they can view the content. Protection works at page level: each page can be individually secured with its own password or email whitelist. You can also mark navigation items as 'protected', so visitors immediately see that certain content is restricted. Ideal for: member portals, internal documents, client-specific content, beta pages or exclusive offers.

To set up password protection: 1. Go to Pages in the side menu 2. Click the page you want to protect 3. Scroll to the "Page Protection" panel at the bottom of the page detail page 4. Toggle "Protect page" on 5. Choose type: "Password" 6. Enter a password and click "Save password" 7. Set the unlock duration (e.g. 24 hours) 8. Optionally: customise the lock screen heading and description 9. Click Save at the top of the page 10. Publish the page via the Page Editor The password is securely hashed — the original password cannot be retrieved.

An email whitelist grants access to specific email addresses: 1. Go to Pages in the side menu 2. Click the page you want to protect 3. Scroll to the "Page Protection" panel at the bottom 4. Toggle "Protect page" on 5. Choose type: "Email whitelist" 6. Enter the allowed email addresses (one per line) 7. Set the unlock duration 8. Click Save and publish the page Visitors enter their email address on the lock screen. Only addresses on the whitelist are granted access.

Besides page protection you can also mark navigation items as secured: 1. Go to Navigation in the side menu 2. Click the lock icon next to a navigation item 3. The item receives a lock badge 4. For a group: all child items also display a lock icon This is a visual indicator for visitors. The actual protection works at page level — make sure the corresponding pages are also protected.

The unlock duration determines how long a visitor retains access after unlocking: • Session — until the browser is closed • 1 hour — short access • 8 hours — workday • 24 hours — one day • 7 days — one week • 30 days — one month After the session expires the visitor must re-enter the password or confirm their email address.

When a visitor opens a protected page they see a lock screen: • A heading (default: "Protected area") • An optional description • An input field for password or email address • A "Get access" button With a correct password or valid email the page content is shown immediately. With an incorrect password or unknown email an error message appears. After 5 failed attempts within 15 minutes the visitor is temporarily blocked (rate limiting).

Page protection uses multiple security layers: • Passwords are hashed with bcrypt — the original is never stored • Sessions are secured with HMAC-SHA256 tokens • Rate limiting: maximum 5 attempts per 15 minutes per IP address and page • Sessions are bound to a specific page — a token for page A does not work on page B • IP addresses are stored hashed — never in plain text • Secrets (password hashes, email whitelists) are never sent to the browser

Tips for optimal security: • Use strong passwords (at least 12 characters, mix of letters, numbers, symbols) • Limit email whitelists to the necessary addresses • Choose a short unlock duration for sensitive content • Change passwords regularly • Use email whitelist for content that needs per-person tracking • Combine with HTTPS (standard on all sites) for end-to-end encryption

Page protection provides effective access control but is not a DRM system: • A visitor with the correct password can copy the content or take a screenshot • Email verification is not identity verification — it only confirms the email address is on the whitelist • The protection is intended for honest users, not against determined attackers with technical knowledge For maximum security: combine with short unlock duration and regular password changes.

Every access attempt to a protected page is automatically logged. View the audit log: 1. Click "Security log" in the side menu (only visible for admins) 2. Use the filters to search by page, result or date range For each entry you can see: • Page (slug) • Result: success, failure or rate limited • Protection type: password or email whitelist • Timestamp • Anonymised IP hash (no personal data — GDPR compliant) Logs are retained for 90 days and then automatically cleaned up.