deloc
← All posts

How to Password Protect a Website for Free

· Deloc

You built a website or dashboard. It has data you don’t want public. Every hosting platform either charges for password protection or makes you hack around it. Here is how to password protect a website for free, whether it is a single HTML page or a full static site, without a server or a paid plan.

What Other Hosting Platforms Charge

Vercel. Password protection requires the Advanced Deployment Protection add-on, which costs $150/month on top of the Pro plan. The free Hobby plan only offers Vercel Authentication, which requires every viewer to have a Vercel account. That is not password protection. That is asking your boss to sign up for a developer tool to see a chart.

Netlify. Site-wide password protection (the dashboard toggle with a styled prompt) requires the Pro plan at $19/month. There is a free workaround using HTTP Basic Auth via a _headers file, but it shows the browser’s raw default authentication popup, requires storing credentials in plain text in your repository, and only works if you know how to write config files.

GitHub Pages. No password protection at all. Everything is public.

The Answer: Deploy to Deloc, Add a Password

Deploy your site to Deloc. Add a password. Done. Free.

This works for any static site or HTML page. Drop a folder with an index.html into Deloc and you get a live URL with a password prompt in front of it.

Path A: CLI

npx @deloc/cli deploy --name my-site
npx @deloc/cli password my-site

Path B: AI tool (Claude Code or Cursor)

“Deploy this to Deloc with password protection”

Both paths land in the same place. A visitor opens the URL, sees a clean styled password prompt, enters the password, and sees the site. No account required for viewers. No code changes to your site. No config files in your repository.

Why This Is Actually Secure

This is not a JavaScript prompt you can bypass by viewing source. The password check happens at the Cloudflare edge before any files are served. Your HTML, CSS, and JS never reach the browser until the correct password is entered.

Once a visitor enters the correct password, Deloc issues a session cookie so they are not re-prompted on every page navigation. The password itself is stored as a bcrypt hash on the server, never in your code or the page source.

This is the same server-side approach Netlify and Vercel use on their paid tiers. Deloc includes it free on every plan, including the free tier.

Common Scenarios

  • Share a client deliverable. Deploy, set password, send link and password separately.
  • Internal company dashboard. Deploy with a password, share in Slack.
  • Portfolio with NDA work. Password protect the specific projects that need it.
  • Staging site for review. Password protect it until you are ready to go public.
  • Remove the password later. npx @deloc/cli password my-site --remove

What About Team Access

If you need more than a single shared password, Deloc’s paid tiers offer email domain restriction. Only people with a @yourcompany.com email can access the site. No password to share or rotate. See pricing for the plans that include it.

Password Protect Any Site in 30 Seconds. Free.

Get a live URL with a password prompt in front of it, in one command, on the free tier. Head to deloc.dev.

For the full deploy workflow from an AI coding tool, see How to Share a Dashboard Built with Claude.

← Back to blog