Password protect a static HTML page, decrypted in-browser in JavaScript

&gt; returns a static HTML page showing a password prompt that you can now safely upload anywhere<p>Anywhere that you trust, and where the page is hosted securely. For example, a malicious hosting service could alter the password prompt. Or the page as a whole could be put in a frame with a transparent overlay.

Author here. I was wondering why I was seeing plenty of people from github on my meditation website so I checked HN, hi!<p>Happy to answer any question you might have, and feel free to offer feedback too.<p>(Last time this got posted to HN[1] was really productive in improving the project, thanks!)<p>[1] <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=34849024">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=34849024</a>

Built the same thing, but with a slightly different focus: Have the result as small as possible, so assuming you can trust your browser you can audit the received HTML file prior to entering your password: <a href="https:&#x2F;&#x2F;github.com&#x2F;dividuum&#x2F;html-vault">https:&#x2F;&#x2F;github.com&#x2F;dividuum&#x2F;html-vault</a>

Similar project that supports files: <a href="https:&#x2F;&#x2F;github.com&#x2F;mprimi&#x2F;portable-secret">https:&#x2F;&#x2F;github.com&#x2F;mprimi&#x2F;portable-secret</a>

In the old days, we used .htaccess and htpasswd for that.

Reminds me of one of my projects:<p><a href="https:&#x2F;&#x2F;github.com&#x2F;blackhillsinfosec&#x2F;skyhook">https:&#x2F;&#x2F;github.com&#x2F;blackhillsinfosec&#x2F;skyhook</a><p>Round-trip encrypted file transfer. Uses WASM to decrypt files on the client side.<p>Aims to bypass IDS.

Similar (but also for a narrower use case with fewer features): <a href="https:&#x2F;&#x2F;github.com&#x2F;sowbug&#x2F;quaid">https:&#x2F;&#x2F;github.com&#x2F;sowbug&#x2F;quaid</a><p>It wraps a JS implementation of only the decryption side of GPG symmetric encryption, so there&#x27;s less opportunity for the tool itself to introduce security errors.

I used this before and it was really decent, actually had it as a build step on some dev preview stuff. Only moved to basic auth because getting it to remember people through re-deploys was a faff so it became annoying when it wasn’t working (I’m aware it has a solution to this problem but it wasn’t really working for me easily)

Another interesting project allows you to do a similar thing with Hugo. I&#x27;m a bit nervous to use these myself but seems useful for some limited, non-serious use cases.<p><a href="https:&#x2F;&#x2F;github.com&#x2F;Izumiko&#x2F;hugo-encrypt">https:&#x2F;&#x2F;github.com&#x2F;Izumiko&#x2F;hugo-encrypt</a>

How long should the password be to make this safe from brute force attack?

Nice project. There should be some project which standardizes a mechanism to do that that with a browser extension. This would make it possible to share websites without trusting the web hoster.

This is what I&#x27;m looking for: a way to put something in public (I&#x27;m using Vercel) that &quot;only&quot; me can access (anybody who can decrypt it doesn&#x27;t need the content that I encrypt).

As an alternative, your content can be stored statically on a request path that is the hash value of a secret