Our great sponsors
-
staticrypt
Password protect a static HTML page, decrypted in-browser in JS with no dependency. No server logic needed.
-
SurveyJS
Open-Source JSON Form Builder to Create Dynamic Forms Right in Your App. With SurveyJS form UI libraries, you can build and style forms in a fully-integrated drag & drop form builder, render them in your JS app, and store form submission data in any backend, inc. PHP, ASP.NET Core, and Node.js.
-
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
-
oauth2-proxy
A reverse proxy that provides authentication with Google, Azure, OpenID Connect and many more identity providers.
-
sasha.html
A pure HTML+CSS+JS local application made to encrypt "very important images" IFYKWIM ( ͡° ͜ʖ ͡°)
-
SingleFileZ
Web Extension to save a faithful copy of an entire web page in a self-extracting ZIP file
-
-
Hi HN! Author of the tool here. Just woke up to a few emails pointing me to this thread. Thanks for the interest and added eyeballs!
I'll answer some of the comments here and address the new opened issues during the day. To answer a few questions that seem common skimming this thread:
- WebCrypto: I've been wanting to use WebCrypto instead of crypto-js for years now. It's been in my "Important but not urgent" bucket (since crypto-js should be secure too), the interface is different so I want to make sure I do it correctly and life happened, so I never got farther than drafts. Thank you for the PRs, I hope to get to it soon!
- "static" means no server-side logic (not no JS): I first made StatiCrypt to solve my own issue of wanting to password protect an html page I could host on a static file host (Netlify, Github pages...). The whole point is to not have a server or DB, so we can't use Basic auth etc.
As I write in the FAQ[1] I do my best to implement things correctly but I'm not a cryptographer - any feedback to make the tool better or more secure is very welcome!
[1] https://github.com/robinmoisson/staticrypt#is-it-secure
Shameless plug, I did something similar in a markdown processor (which processes any folder with some markdown into an html website). You can either protect some of the pages, or the entire thing
https://github.com/cfe84/plaf
Here's one w/ 100_000. Perhaps it's missing a couple zeroes.
https://github.com/yjs/y-webrtc/blob/master/src/crypto.js#L2...
Similar here: https://github.com/sowbug/quaid
It works with a GPG-encrypted file. I figured that was safer than developing my own encryption format. As it is, any vulnerability in the decryption process is equivalent to a vulnerability in GPG.
My recent solution to this problem -- for an entire static site -- was to use HTTP Basic authentication with CloudFlare Pages: https://github.com/garrison/cloudflare-pages-shared-password
I have a similar project called Sasha.html.
https://github.com/dav1app/sasha.html
The idea is to export any file as an HTML file with the data as an encrypted string hard coded within the HTML. This way, no specific software is required to decrypt the file, just open it on the browser, type the password and download or view your file.
I built this to have a easy way to send encrypted files to any device and open it without having to install external tools.
You can do the same thing with SingleFileZ [1] which can protect saved pages with a password. It relies on the zip specification to store encrypted resources.
[1] https://github.com/gildas-lormeau/SingleFileZ
> The user experience with basic auth is not so good.
Apache actually also has an OpenID Connect module, which you can enable to have it work as a relying party: https://github.com/zmartzone/mod_auth_openidc
Basically, the actual UI will be handled by another system that you might be using, for example, in my case that might be a self-hosted Keycloak instance: https://www.keycloak.org/
I'd say that Keycloak is a pretty good solution in general, because it does some of the heavy lifting for you, maybe its shorter release cycle not being the best thing ever, though. I think IdentityServer also tried to fill this niche, but they went full on commercial recently, without OSS offerings.
> The user experience with basic auth is not so good.
Apache actually also has an OpenID Connect module, which you can enable to have it work as a relying party: https://github.com/zmartzone/mod_auth_openidc
Basically, the actual UI will be handled by another system that you might be using, for example, in my case that might be a self-hosted Keycloak instance: https://www.keycloak.org/
I'd say that Keycloak is a pretty good solution in general, because it does some of the heavy lifting for you, maybe its shorter release cycle not being the best thing ever, though. I think IdentityServer also tried to fill this niche, but they went full on commercial recently, without OSS offerings.
Related posts
- is there a way to password protect certain subpages?
- Client of mine wants a paywall on all of their articles. Any ideas of how I can do this using the JAMstack.
- How to password protect static resume website
- HOW TO: Uee PageCrypt to (semi-)securely store sensitive data in Anki
- Mastering DOM manipulation with vanilla JavaScript