Skip to content


What's this business all about, then?

This repository helps you put access control into place to protect your secret pages by (deep breath):

hosting your secret page of static and/or dynamic content by using a free Heroku app running a Python Flask server that uses Flask-Dance to authenticate visitors with Github using OAuth which allows you fine-grained access control for your pages using user attributes like organization or team membership or even things like how many vowels a user has in their username.

Also, did I mention the attack rabbits?

warning: attack rabbits ahead

Where is everything?

Final pages:

Two branches in this repo compose the github-heroku-attack-rabbits documentation:

Two branches illustrate github-heroku-attack-rabbits in practice:

  • The secret branch contains the files needed to create the secret page. (This is the "secret page source branch", so to speak.) This repository, the one you are looking at right now, is public, so of course these will not really be secret, but in practice the secret branch would live in a private repository.

  • The heroku-pages branch contains the content that is actually pushed to Heroku - that is, the final Flask app. This includes the Flask app (Python program), in addition to files that tell Heroku how to run the app, plus gunicorn "middleware" scripts, plus the static content that Flask is supposed to serve up (whatever that happens to be - in our case, we will cover an mkdocs documentation site that is behind an authentication layer.).


An overview of the steps:

Get Started with Heroku

Get Started with Github

Initialize Repository: Branches

Create a Flask App using Flask-Dance

Test Flask App Locally

Deploying Flask App to Heroku

Custom Domains

Python software used:

Commercial services:


This is released under the WTFPL.