Skip to main content
  1. My Blog Posts and Stories/

Hidden Blog Posts on the Cheap

·818 words·4 mins
Web Development
Table of Contents

Introduction #

Last year, I had an idea to create password protected blog posts. With the password protected posts, I can write more personal stuff and share my experiences which I do not want to share with everyone.

In this blog post, I will be sharing the method that I used to implement this and why I chose to implement it this way.

Requirements #

These are the requirements for the website.

  1. The pages can only be viewed when the user has the password
  2. The password must be rotated periodically to reduce the blast radius of leaked passwords.

These are the 2 main requirements for the password page.

However, this requirements are hard to fulfill due to the current structure of this blog.

Current Structure #

Currently, this blog is completed using Hugo.

NetlifyGithubNetlifyGithubUserUpload Markdown FilesWebhookClone + Build using HugoMake available on domainUserBuilding the Website

When building the website, I upload the Hugo Markdown files to Github. Through the Netlify integration on my repository, Netlify pulls the changes from the Github repository and uses Hugo to compile the markdown files into HTML files for this blog.

After the HTML files are compiled, Netlify hosts the files and this is what you see when you load https://jh123x.com/blog/2026/hidden-blog-posts-on-the-cheap/.

From the current structure of the website, you can see that there is not backend for this blog. This adds additional constraints for this blog to support passwords.

Constraints #

In order not to increase the scope of change for this blog, we have additional constraints for the current structure.

It is very hard to host a backend that can store the password and process the password on each parse.

At this point I was stuck and felt lazy to implement the backend and I left it for a while.

The Idea #

After letting the idea sit in my mind for a few days, an idea struck me randomly.

What if I can implement this feature without the need for any backend at all?

Instead of having a backend as a sort of password oracle and implementing everything else that came with it (EG: rate limiting, password rotation, serving the webpage, etc). I can just serve it as another regular frontend page.

In this case, the password can be used as part of a URL.

The method that I am using here is not cryptographically secure. Please do not use this method to store your secrets / passwords, etc.

There are password protected set ups from netlify for these kind of purposes

Implementation #

NetlifyGithubNetlifyGithubUserUpload Markdown Files with UUID pathsWebhookClone + Build using HugoMake available on domainUserHidden Pages

Instead of an explicit password protecting the page, getting the path to the page is the secret.

By using UUID4, the search space is very large. It has a randomness of 122 bits (32 hex characters).

This results in 2^122 combinations. It is very hard for an attacker to exhaust the list of UUIDs to find the webpage

On top of just using static UUIDs, I have a cronjob that will rotate the path of the hidden pages regularly.

This will mean that if the attacker wants to brute force the page, they will have to brute force it within the time it takes to rotate the keys.

Limitations #

This method is not all sunshine and rainbows. There are also limitations to doing it like this.

There are some which we can do something about but others which we cannot do anything about.

Auto sitemap.xml and rss.xml generation #

Some hugo themes generate sitemap.xml and rss.xml automatically. I needed to update the code to have yaml settings to prevent that.

sitemap: 
  disabled: true

For congo, disabling the sitemap setting seems to also turn it off for RSS

Disable Search Engine Indexing #

To prevent search engines from indexing the hidden pages, we will have to exclude it from robots.txt

For this part, I added a layout in layouts/robots.txt with the following

User-agent: *
Allow: /
Disallow: /hidden/
Sitemap: {{.Site.BaseURL}}sitemap.xml

This disallows all paths under the /hidden/* from indexing and visiting from robots.

Difficult to audit / manage #

Search engine crawlers may accidentally index it if the page is linked somewhere with misconfigurations of robots.txt or even previews of pages when the page url is pasted.

Addresses can also be shared with others and others can view it within the time before the keys are rotated.

Conclusion #

In this blog post, I shared a method to write hidden blog posts using the hugo framework. For different themes, the methods will be similar.

This should not be used for secret information. Only non-sensitive information should be shared through this method.