diff --git a/CHANGELOG.md b/CHANGELOG.md
index b0b1bb3a..b23580a6 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,14 @@
 **h5ai** uses [semantic versioning](http://semver.org/).
 
 
+## v0.25.2 - *2014-07-01*
+
+* adds optional info page protection
+* fixes `short_open_tag` issues for PHP < 5.4.0
+* fixes default folder download (`alwaysVisible` option)
+* minor fixes
+
+
 ## v0.25.1 - *2014-06-25*
 
 * fixes broken paths for filenames containing '+' characters
diff --git a/npm-debug.log b/npm-debug.log
new file mode 100644
index 00000000..bbe5e459
--- /dev/null
+++ b/npm-debug.log
@@ -0,0 +1,173 @@
+0 info it worked if it ends with ok
+1 verbose cli [ '/usr/bin/node', '/usr/bin/npm', 'install', '-g', 'fquery' ]
+2 info using npm@1.4.14
+3 info using node@v0.10.29
+4 verbose node symlink /usr/bin/node
+5 verbose cache add [ 'fquery', null ]
+6 verbose cache add name=undefined spec="fquery" args=["fquery",null]
+7 verbose parsed url { protocol: null,
+7 verbose parsed url   slashes: null,
+7 verbose parsed url   auth: null,
+7 verbose parsed url   host: null,
+7 verbose parsed url   port: null,
+7 verbose parsed url   hostname: null,
+7 verbose parsed url   hash: null,
+7 verbose parsed url   search: null,
+7 verbose parsed url   query: null,
+7 verbose parsed url   pathname: 'fquery',
+7 verbose parsed url   path: 'fquery',
+7 verbose parsed url   href: 'fquery' }
+8 silly lockFile 9a7368bb-fquery fquery
+9 verbose lock fquery /home/lars/.npm/cache/9a7368bb-fquery.lock
+10 silly lockFile 9a7368bb-fquery fquery
+11 silly lockFile 9a7368bb-fquery fquery
+12 verbose addNamed [ 'fquery', '' ]
+13 verbose addNamed [ null, '*' ]
+14 silly lockFile e5526921-fquery fquery@
+15 verbose lock fquery@ /home/lars/.npm/cache/e5526921-fquery.lock
+16 silly addNameRange { name: 'fquery', range: '*', hasData: false }
+17 verbose url raw fquery
+18 verbose url resolving [ 'https://registry.npmjs.org/', './fquery' ]
+19 verbose url resolved https://registry.npmjs.org/fquery
+20 info trying registry request attempt 1 at 18:48:33
+21 http GET https://registry.npmjs.org/fquery
+22 http 200 https://registry.npmjs.org/fquery
+23 silly registry.get cb [ 200,
+23 silly registry.get   { date: 'Tue, 01 Jul 2014 16:48:33 GMT',
+23 silly registry.get     server: 'CouchDB/1.5.0 (Erlang OTP/R16B03)',
+23 silly registry.get     etag: '"DFHDQXLRHLZ7Y1EXB5YI3U9MI"',
+23 silly registry.get     'content-type': 'application/json',
+23 silly registry.get     'cache-control': 'max-age=30',
+23 silly registry.get     'content-length': '29084',
+23 silly registry.get     'accept-ranges': 'bytes',
+23 silly registry.get     via: '1.1 varnish',
+23 silly registry.get     age: '0',
+23 silly registry.get     'x-served-by': 'cache-fra1220-FRA',
+23 silly registry.get     'x-cache': 'MISS',
+23 silly registry.get     'x-cache-hits': '0',
+23 silly registry.get     'x-timer': 'S1404233313.482664,VS0,VE367',
+23 silly registry.get     vary: 'Accept',
+23 silly registry.get     'keep-alive': 'timeout=10, max=50',
+23 silly registry.get     connection: 'Keep-Alive' } ]
+24 silly addNameRange number 2 { name: 'fquery', range: '*', hasData: true }
+25 silly addNameRange versions [ 'fquery',
+25 silly addNameRange   [ '0.1.0',
+25 silly addNameRange     '0.2.0',
+25 silly addNameRange     '0.3.0',
+25 silly addNameRange     '0.4.0',
+25 silly addNameRange     '0.5.0',
+25 silly addNameRange     '0.6.0',
+25 silly addNameRange     '0.7.0',
+25 silly addNameRange     '0.8.0',
+25 silly addNameRange     '0.8.1',
+25 silly addNameRange     '0.9.0',
+25 silly addNameRange     '0.10.0',
+25 silly addNameRange     '0.11.0' ] ]
+26 verbose addNamed [ 'fquery', '0.11.0' ]
+27 verbose addNamed [ '0.11.0', '0.11.0' ]
+28 silly lockFile c56ebe5c-fquery-0-11-0 fquery@0.11.0
+29 verbose lock fquery@0.11.0 /home/lars/.npm/cache/c56ebe5c-fquery-0-11-0.lock
+30 silly lockFile 2abe8ce0-mjs-org-fquery-fquery-0-11-0-tgz https://registry.npmjs.org/fquery/-/fquery-0.11.0.tgz
+31 verbose lock https://registry.npmjs.org/fquery/-/fquery-0.11.0.tgz /home/lars/.npm/cache/2abe8ce0-mjs-org-fquery-fquery-0-11-0-tgz.lock
+32 verbose addRemoteTarball [ 'https://registry.npmjs.org/fquery/-/fquery-0.11.0.tgz',
+32 verbose addRemoteTarball   '034d7d4e233586f742975b2ced7b27d2fdbeba70' ]
+33 info retry fetch attempt 1 at 18:48:34
+34 verbose fetch to= /tmp/npm-21334-KPbVeGat/registry.npmjs.org/fquery/-/fquery-0.11.0.tgz
+35 http GET https://registry.npmjs.org/fquery/-/fquery-0.11.0.tgz
+36 http 200 https://registry.npmjs.org/fquery/-/fquery-0.11.0.tgz
+37 silly lockFile 2abe8ce0-mjs-org-fquery-fquery-0-11-0-tgz https://registry.npmjs.org/fquery/-/fquery-0.11.0.tgz
+38 silly lockFile 2abe8ce0-mjs-org-fquery-fquery-0-11-0-tgz https://registry.npmjs.org/fquery/-/fquery-0.11.0.tgz
+39 silly lockFile c56ebe5c-fquery-0-11-0 fquery@0.11.0
+40 silly lockFile c56ebe5c-fquery-0-11-0 fquery@0.11.0
+41 silly lockFile e5526921-fquery fquery@
+42 silly lockFile e5526921-fquery fquery@
+43 silly resolved [ { name: 'fquery',
+43 silly resolved     displayName: 'fQuery',
+43 silly resolved     version: '0.11.0',
+43 silly resolved     description: 'file selection and processing for node',
+43 silly resolved     url: 'http://larsjung.de/fquery/',
+43 silly resolved     keywords:
+43 silly resolved      [ 'file',
+43 silly resolved        'tool',
+43 silly resolved        'preprocessor',
+43 silly resolved        'less',
+43 silly resolved        'css',
+43 silly resolved        'lesscss',
+43 silly resolved        'js',
+43 silly resolved        'javascript' ],
+43 silly resolved     author: { name: 'Lars Jung', email: 'lrsjng@gmail.com' },
+43 silly resolved     license: 'MIT',
+43 silly resolved     repository: { type: 'git', url: 'https://github.com/lrsjng/fQuery.git' },
+43 silly resolved     main: './lib/fQuery',
+43 silly resolved     bin: { makejs: './bin/makejs', wepp: './bin/wepp' },
+43 silly resolved     dependencies:
+43 silly resolved      { async: '~0.2.9',
+43 silly resolved        'clean-css': '~1.0.12',
+43 silly resolved        commander: '~2.0.0',
+43 silly resolved        docco: '~0.6.2',
+43 silly resolved        glob: '~3.2.6',
+43 silly resolved        'gzip-js': '~0.3.2',
+43 silly resolved        handlebars: '~1.0.12',
+43 silly resolved        jade: '~0.34.1',
+43 silly resolved        jshint: '~2.1.6',
+43 silly resolved        less: '~1.4.2',
+43 silly resolved        mkdirp: '~0.3.5',
+43 silly resolved        moment: '~2.1.0',
+43 silly resolved        mustache: '~0.7.2',
+43 silly resolved        rimraf: '~2.2.2',
+43 silly resolved        semver: '~2.0.11',
+43 silly resolved        'uglify-js': '~2.3.6',
+43 silly resolved        underscore: '~1.5.1' },
+43 silly resolved     engines: { node: '>=0.8' },
+43 silly resolved     readme: '# fQuery\nFile selection and processing for Node.js. `makejs` and `wepp` included.\n\n* to report a bug or make a feature request please create [a new issue](https://github.com/lrsjng/fquery/issues/new).\n* website: <http://larsjung.de/fquery/>\n* sources: <https://github.com/lrsjng/fquery>\n\nfQuery is provided under the terms of the [MIT License](https://github.com/lrsjng/fquery/blob/develop/LICENSE.md).\n\n\n## Changelog\n\n\n### v0.11.0 - *2013-08-16*\n\n* adds `newerThan`\n* adds `spawnProcess`\n* adds `hash` plugin\n* removes `css-condensed`, `live` and `zip` plugin\n* adds lazy load for plugins\n* minor fixes\n\n\n### v0.10.0 - *2013-08-09*\n\n* moves `makejs` to a new tools section\n* integrates [wepp](http://larsjung.de/wepp/)\n* replaces `rmfr` with `DELETE`, no longer needs `I_AM_SURE`\n* adds uppercase methods `MOVE`, `COPY`, `WRITE` which overwrite existing files by default\n* adds `map` function\n\n\n### v0.9.0 - *2013-07-31*\n\n* fixes\n* updates `async` to `0.2.9`\n* updates `clean-css` to `1.0.12`\n* updates `commander` to `2.0.0`\n* updates `css-condense` to `0.0.6`\n* updates `docco` to `0.6.2`\n* updates `glob` to `3.2.6`\n* updates `handlebars` to `1.0.12`\n* updates `jade` to `0.34.1`\n* updates `jshint` to `2.1.6`\n* updates `less` to `1.4.2`\n* updates `mkdirp` to `0.3.5`\n* updates `moment` to `2.1.0`\n* updates `mustache` to `0.7.2`\n* updates `rimraf` to `2.2.2`\n* updates `semver` to `2.0.11`\n* updates `uglify-js` to `2.3.6`\n* updates `underscore` to `1.5.1`\n\n\n### v0.8.1 - *2012-09-15*\n\n* improves git plugin\n\n\n### v0.8.0 - *2012-09-13*\n\n* updates version method\n* updates git plugin\n\n\n### v0.7.0 - *2012-09-12*\n\n* adds header option to uglifyjs and cssmin plugin\n* adds cleancss plugin\n* adds csscondense plugin\n* adds githash plugin\n* adds shzip plugin\n* minor fixes\n\n\n### v0.6.0 - *2012-08-14*\n\n* adds linebreak option to uglifyjs and cssmin plugin\n\n\n### v0.5.0 - *2012-08-12*\n\n* adds globs in `includify`\n\n\n### v0.4.0 - *2012-08-11*\n\n* add plugin handlebars\n\n\n### v0.3.0 - *2012-08-05*\n\n* interface nearly done\n\n\n### v0.2.0 - *2012-07-26*\n\n* still initial changes\n\n\n### v0.1.0 - *2012-07-20*\n\n* initial release\n\n',
+43 silly resolved     readmeFilename: 'README.md',
+43 silly resolved     bugs: { url: 'https://github.com/lrsjng/fQuery/issues' },
+43 silly resolved     _id: 'fquery@0.11.0',
+43 silly resolved     dist:
+43 silly resolved      { shasum: '034d7d4e233586f742975b2ced7b27d2fdbeba70',
+43 silly resolved        tarball: 'http://registry.npmjs.org/fquery/-/fquery-0.11.0.tgz' },
+43 silly resolved     _from: 'fquery@',
+43 silly resolved     _npmVersion: '1.3.5',
+43 silly resolved     _npmUser: { name: 'lrsjng', email: 'lrsjng@gmail.com' },
+43 silly resolved     maintainers: [ [Object] ],
+43 silly resolved     directories: {},
+43 silly resolved     _shasum: '034d7d4e233586f742975b2ced7b27d2fdbeba70',
+43 silly resolved     _resolved: 'https://registry.npmjs.org/fquery/-/fquery-0.11.0.tgz' } ]
+44 info install fquery@0.11.0 into /usr/lib
+45 info installOne fquery@0.11.0
+46 info /usr/lib/node_modules/fquery unbuild
+47 verbose tar unpack /home/lars/.npm/cache/fquery/0.11.0/package.tgz
+48 silly lockFile f927d464-tar-usr-lib-node-modules-fquery tar:///usr/lib/node_modules/fquery
+49 verbose lock tar:///usr/lib/node_modules/fquery /home/lars/.npm/cache/f927d464-tar-usr-lib-node-modules-fquery.lock
+50 silly lockFile 8c765a20--cache-fquery-0-11-0-package-tgz tar:///home/lars/.npm/cache/fquery/0.11.0/package.tgz
+51 verbose lock tar:///home/lars/.npm/cache/fquery/0.11.0/package.tgz /home/lars/.npm/cache/8c765a20--cache-fquery-0-11-0-package-tgz.lock
+52 silly gunzTarPerm modes [ '755', '644' ]
+53 error Error: EACCES, mkdir '/usr/lib/node_modules/fquery'
+53 error  { [Error: EACCES, mkdir '/usr/lib/node_modules/fquery']
+53 error   errno: 3,
+53 error   code: 'EACCES',
+53 error   path: '/usr/lib/node_modules/fquery',
+53 error   fstream_type: 'Directory',
+53 error   fstream_path: '/usr/lib/node_modules/fquery',
+53 error   fstream_class: 'DirWriter',
+53 error   fstream_stack:
+53 error    [ '/usr/lib/node_modules/npm/node_modules/fstream/lib/dir-writer.js:36:23',
+53 error      '/usr/lib/node_modules/npm/node_modules/mkdirp/index.js:37:53',
+53 error      'Object.oncomplete (fs.js:107:15)' ] }
+54 error Please try running this command again as root/Administrator.
+55 error System Linux 3.13.0-30-generic
+56 error command "/usr/bin/node" "/usr/bin/npm" "install" "-g" "fquery"
+57 error cwd /home/lars/env/workspace/h5ai
+58 error node -v v0.10.29
+59 error npm -v 1.4.14
+60 error path /usr/lib/node_modules/fquery
+61 error fstream_path /usr/lib/node_modules/fquery
+62 error fstream_type Directory
+63 error fstream_class DirWriter
+64 error code EACCES
+65 error errno 3
+66 error stack Error: EACCES, mkdir '/usr/lib/node_modules/fquery'
+67 error fstream_stack /usr/lib/node_modules/npm/node_modules/fstream/lib/dir-writer.js:36:23
+67 error fstream_stack /usr/lib/node_modules/npm/node_modules/mkdirp/index.js:37:53
+67 error fstream_stack Object.oncomplete (fs.js:107:15)
+68 verbose exit [ 3, true ]
diff --git a/package.json b/package.json
index b0b7053e..c86db1f8 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "h5ai",
-  "version": "0.25.1",
+  "version": "0.25.2",
   "description": "a modern HTTP web server index",
   "url": "http://larsjung.de/h5ai/",
   "author": "Lars Jung",
diff --git a/src/_h5ai/client/css/inc/h5ai-info.less b/src/_h5ai/client/css/inc/h5ai-info.less
index d33a2f9d..9064a82e 100644
--- a/src/_h5ai/client/css/inc/h5ai-info.less
+++ b/src/_h5ai/client/css/inc/h5ai-info.less
@@ -17,15 +17,6 @@ body#h5ai-info {
 		}
 	}
 
-	.build-version {
-		display: block;
-	}
-	.build-stamp {
-		display: block;
-		margin-top: 0.3em;
-		font-size: 0.6em;
-		color: #aaa;
-	}
 	.idx-file {
 		margin-top: 1em;
 		font-size: 0.6em;
@@ -61,6 +52,56 @@ body#h5ai-info {
 		line-height: 1.4em;
 	}
 
+	#login-wrapper {
+		margin: 96px 0;
+		font-size: 14px;
+
+		#pass {
+			-moz-appearance: none;
+			-ms-appearance: none;
+			-webkit-appearance: none;
+			font-family: @font-family;
+			font-weight: @font-weight;
+			color: @col;
+			background: @col-widget-back-highlight;
+			border: @border-widget;
+			outline: none;
+			display: inline-block;
+			width: 200px;
+			height: 30px;
+			padding: 0 6px;
+			margin: 8px;
+		}
+		#login, #logout {
+			display: inline-block;
+			padding: 4px 16px;
+			margin: 8px;
+			background-color: @col-widget-back;
+			border: @border-widget;
+			cursor: pointer;
+
+			color: @col;
+			cursor: pointer;
+			text-decoration: none;
+			.transition(all 0.2s ease-in-out);
+
+			&:hover, &.hover {
+				background-color: @col-widget-back-highlight;
+				color: @col-hover;
+			}
+		}
+		#hint {
+			margin: 12px auto;
+			width: 360px;
+			color: @col;
+			font-size: 12px;
+		}
+	}
+
+	#tests-wrapper {
+		margin: 96px 0;
+	}
+
 	#tests {
 		display: inline-block;
 		list-style-type: none;
@@ -69,16 +110,17 @@ body#h5ai-info {
 		padding: 0;
 
 		.test {
+			padding: 6px;
+
 			.label {
 				display: inline-block;
-				width: 370px;
+				width: 250px;
 			}
 			.result {
 				display: inline-block;
-				width: 70px;
+				width: 250px;
 				text-align: right;
 				font-weight: bold;
-				color: #aaa;
 
 				&.passed {
 					color: #5a5;
@@ -91,7 +133,7 @@ body#h5ai-info {
 				margin: 4px 0 12px 12px;
 				font-size: 0.7em;
 				color: #aaa;
-				width: 370px;
+				width: 380px;
 				line-height: 1.2em;
 			}
 		}
diff --git a/src/_h5ai/client/js/inc/ext/google-analytics.js b/src/_h5ai/client/js/inc/ext/google-analytics.js
index c82c3ed2..91059ef1 100644
--- a/src/_h5ai/client/js/inc/ext/google-analytics.js
+++ b/src/_h5ai/client/js/inc/ext/google-analytics.js
@@ -67,8 +67,7 @@ modulejs.define('ext/google-analytics-ua', ['_', 'core/settings', 'core/event'],
 
 				var loc = win.location;
 				win[id]('send', 'pageview', {
-					location: loc.protocol + '//' + loc.hostname + item.absHref,
-					page: loc.protocol + '//' + loc.host + item.absHref,
+					location: loc.protocol + '//' + loc.host + item.absHref,
 					title: _.pluck(item.getCrumb(), 'label').join(' > ')
 				});
 			});
diff --git a/src/_h5ai/client/js/inc/info.js b/src/_h5ai/client/js/inc/info.js
index c5c75c7b..74df50f6 100644
--- a/src/_h5ai/client/js/inc/info.js
+++ b/src/_h5ai/client/js/inc/info.js
@@ -1,36 +1,59 @@
 
 modulejs.define('info', ['$', 'config'], function ($, config) {
 
-	var template = '<li class="test">' +
-						'<span class="label"></span>' +
-						'<span class="result"></span>' +
-						'<div class="info"></div>' +
-					'</li>',
+	var testsTemp =
+			'<div id="tests-wrapper">' +
+				'<ul id="tests">' +
+			'</div>',
+
+		testTemp =
+			'<li class="test">' +
+				'<span class="label"></span>' +
+				'<span class="result"></span>' +
+				'<div class="info"></div>' +
+			'</li>',
+
+		loginTemp =
+			'<div id="login-wrapper">' +
+				'<input id="pass" type="text" placeholder="password"/>' +
+				'<span id="login">login</span>' +
+				'<span id="logout">logout</span>' +
+				'<div id="hint">' +
+					'The preset password is the empty string, so just hit login. ' +
+					'You might change it in the index file to keep this information private.' +
+				'</div>' +
+			'</div>',
 
 		setup = config.setup,
-		$tests = $("#tests"),
-
-		addTest = function (label, info, passed, result) {
-
-			$(template)
-				.find('.label')
-					.text(label)
-				.end()
-				.find('.result')
-					.addClass(passed ? 'passed' : 'failed')
-					.text(result ? result : (passed ? 'yes' : 'no'))
-				.end()
-				.find('.info')
-					.html(info)
-				.end()
-				.appendTo($tests);
-		},
 
 		addTests = function () {
 
+			var addTest = function (label, info, passed, result) {
+
+					$(testTemp)
+						.find('.label')
+							.text(label)
+						.end()
+						.find('.result')
+							.addClass(passed ? 'passed' : 'failed')
+							.text(result ? result : (passed ? 'yes' : 'no'))
+						.end()
+						.find('.info')
+							.html(info)
+						.end()
+						.appendTo('#tests');
+				};
+
+			$(testsTemp).appendTo('body');
+
+			addTest(
+				'Server software', 'Server is one of apache, lighttpd, nginx or cherokee',
+				setup.HAS_SERVER, setup.SERVER_NAME + ' ' + setup.SERVER_VERSION
+			);
+
 			addTest(
 				'PHP version', 'PHP version &gt;= ' + setup.MIN_PHP_VERSION,
-				setup.HAS_PHP_VERSION
+				setup.HAS_PHP_VERSION, setup.PHP_VERSION
 			);
 
 			addTest(
@@ -49,8 +72,8 @@ modulejs.define('info', ['$', 'config'], function ($, config) {
 			);
 
 			addTest(
-				'Movie thumbs', 'Command line program <code>ffmpeg</code> or <code>avconv</code> available',
-				setup.HAS_CMD_FFMPEG || setup.HAS_CMD_AVCONV
+				'Movie thumbs', 'Command line program <code>avconv</code> or <code>ffmpeg</code> available',
+				setup.HAS_CMD_AVCONV || setup.HAS_CMD_FFMPEG
 			);
 
 			addTest(
@@ -69,15 +92,75 @@ modulejs.define('info', ['$', 'config'], function ($, config) {
 			);
 
 			addTest(
-				'Folder sizes', 'Command line program <code>du</code> available',
+				'Shell du', 'Command line program <code>du</code> available',
 				setup.HAS_CMD_DU
 			);
 		},
 
+		addLogin = function () {
+
+			var request = function (data) {
+
+					$.ajax({
+							url: 'server/php/index.php',
+							type: 'POST',
+							dataType: 'JSON',
+							data: data
+						})
+						.always(function () {
+
+							window.location.reload();
+						});
+				},
+
+				onLogin = function () {
+
+					request({
+						'action': 'login',
+						'pass': $('#pass').val()
+					});
+				},
+
+				onLogout = function () {
+
+					request({
+						'action': 'logout'
+					});
+				},
+
+				onKeydown = function (event) {
+
+					if (event.which === 13) {
+						onLogin();
+					}
+				};
+
+			$(loginTemp).appendTo('body');
+
+			if (setup.AS_ADMIN) {
+				$('#pass').remove();
+				$('#login').remove();
+				$('#logout').on('click', onLogout);
+			} else {
+				$('#pass').on('keydown', onKeydown).focus();
+				$('#login').on('click', onLogin);
+				$('#logout').remove();
+			}
+			if (setup.HAS_CUSTOM_PASSHASH) {
+				$('#hint').remove();
+			}
+		},
+
 		init = function () {
 
-			$('.idx-file .value').text(setup.INDEX_HREF);
-			addTests();
+			$('<span class="idx-file">Index: <code class="value"></code></span>')
+				.appendTo('body')
+				.find('.value').text(setup.INDEX_HREF);
+
+			if (setup.AS_ADMIN) {
+				addTests();
+			}
+			addLogin();
 		};
 
 	init();
diff --git a/src/_h5ai/index.html.jade b/src/_h5ai/index.html.jade
index b6204a1a..31b49efa 100644
--- a/src/_h5ai/index.html.jade
+++ b/src/_h5ai/index.html.jade
@@ -20,13 +20,6 @@ html.no-js.browser( lang="en" )
 
 		h1
 			a( href="{{pkg.url}}" ) {{pkg.name}}
-		span.build-version version {{pkg.version}}
-		span.build-stamp {{stamp}}
-		span.idx-file Index: 
-			code.value
-
-		h2 Server Setup
-		ul#tests
 
 		div#bottombar.clearfix
 			span.left
@@ -38,5 +31,5 @@ html.no-js.browser( lang="en" )
 					| ! ⚡
 			span.right
 				a( href="{{pkg.url}}", title="{{pkg.name}} {{pkg.version}} · {{pkg.description}}" )
-					| powered by h5ai {{pkg.version}}
+					| powered by {{pkg.name}} {{pkg.version}}
 			span.center
diff --git a/src/_h5ai/server/php/inc/class-api.php b/src/_h5ai/server/php/inc/class-api.php
index 445ccbd3..a52d8971 100644
--- a/src/_h5ai/server/php/inc/class-api.php
+++ b/src/_h5ai/server/php/inc/class-api.php
@@ -8,7 +8,7 @@ class Api {
 
 	public function __construct($app) {
 
-		$this->actions = array("get", "getThumbHref", "download", "upload", "delete", "rename");
+		$this->actions = array("login", "logout", "get", "getThumbHref", "download");
 		$this->app = $app;
 		$this->options = $app->get_options();
 	}
@@ -19,11 +19,26 @@ class Api {
 		$action = use_request_param("action");
 		json_fail(100, "unsupported request", !in_array($action, $this->actions));
 
-		$methodname = "on_$action";
+		$methodname = "on_${action}";
 		$this->$methodname();
 	}
 
 
+	private function on_login() {
+
+		$pass = use_request_param("pass");
+		$_SESSION[AS_ADMIN_SESSION_KEY] = sha1($pass) === PASSHASH;
+		json_exit(array("as_admin" => $_SESSION[AS_ADMIN_SESSION_KEY]));
+	}
+
+
+	private function on_logout() {
+
+		$_SESSION[AS_ADMIN_SESSION_KEY] = false;
+		json_exit(array("as_admin" => $_SESSION[AS_ADMIN_SESSION_KEY]));
+	}
+
+
 	private function on_get() {
 
 		$response = array();
@@ -88,7 +103,7 @@ class Api {
 			$response["all_items"] = $this->app->get_all_items();
 		}
 
-		if (count($_REQUEST)) {
+		if (AS_ADMIN && count($_REQUEST)) {
 			$response["unused"] = $_REQUEST;
 		}
 
diff --git a/src/_h5ai/server/php/inc/class-app.php b/src/_h5ai/server/php/inc/class-app.php
index fd16ede9..6b786c32 100644
--- a/src/_h5ai/server/php/inc/class-app.php
+++ b/src/_h5ai/server/php/inc/class-app.php
@@ -26,11 +26,21 @@ class App {
 
 		$consts = get_defined_constants(true);
 		$setup = $consts["user"];
+
 		$setup["PHP_VERSION"] = PHP_VERSION;
-		unset($setup["APP_PATH"]);
-		unset($setup["ROOT_PATH"]);
-		unset($setup["CURRENT_PATH"]);
-		unset($setup["CACHE_PATH"]);
+		unset($setup["AS_ADMIN_SESSION_KEY"]);
+		unset($setup["PASSHASH"]);
+
+		if (!AS_ADMIN) {
+			unset($setup["APP_PATH"]);
+			unset($setup["CACHE_PATH"]);
+			unset($setup["CURRENT_PATH"]);
+			unset($setup["PHP_VERSION"]);
+			unset($setup["ROOT_PATH"]);
+			unset($setup["SERVER_NAME"]);
+			unset($setup["SERVER_VERSION"]);
+		}
+
 		return $setup;
 	}
 
@@ -134,7 +144,7 @@ class App {
 
 	public function is_managed_path($path) {
 
-		if (!is_dir($path) || strpos($path, '../') || strpos($path, '/..') || $path == '..') {
+		if (!is_dir($path) || strpos($path, '../') !== false || strpos($path, '/..') !== false || $path === '..') {
 			return false;
 		}
 
diff --git a/src/_h5ai/server/php/inc/class-archive.php b/src/_h5ai/server/php/inc/class-archive.php
index a78a107a..dcc099a1 100644
--- a/src/_h5ai/server/php/inc/class-archive.php
+++ b/src/_h5ai/server/php/inc/class-archive.php
@@ -23,7 +23,11 @@ class Archive {
 		$this->add_hrefs($urls);
 
 		if (count($this->dirs) === 0 && count($this->files) === 0) {
-			$this->add_dir(CURRENT_PATH, "/");
+			if ($type === "php-tar") {
+				$this->add_dir(CURRENT_PATH, "/");
+			} else {
+				$this->add_dir(CURRENT_PATH, ".");
+			}
 		}
 
 		if ($type === "php-tar") {
diff --git a/src/_h5ai/server/php/inc/page.php.jade b/src/_h5ai/server/php/inc/page.php.jade
index c5bc1b24..82ddb9dc 100644
--- a/src/_h5ai/server/php/inc/page.php.jade
+++ b/src/_h5ai/server/php/inc/page.php.jade
@@ -1,7 +1,8 @@
 
-- var app_href = "<?= APP_HREF ?>"
-- var fallback = "<?= FALLBACK ?>"
+- var app_href = "<?php echo APP_HREF; ?>"
+- var fallback = "<?php echo FALLBACK; ?>"
 
+<?php header("Content-type: text/html;charset=utf-8"); ?>
 doctype 5
 //if lt IE 10
 	<html class="no-js no-browser" lang="en">
@@ -35,7 +36,7 @@ html.no-js.browser( lang="en" )
 					| ! ⚡
 			span.right
 				a( href="{{pkg.url}}", title="{{pkg.name}} {{pkg.version}} · {{pkg.description}}" )
-					| powered by h5ai {{pkg.version}}
+					| powered by {{pkg.name}} {{pkg.version}}
 			span.center
 
 		div#sidebar
diff --git a/src/_h5ai/server/php/inc/setup.php b/src/_h5ai/server/php/inc/setup.php
index 19dc18e0..040544a9 100644
--- a/src/_h5ai/server/php/inc/setup.php
+++ b/src/_h5ai/server/php/inc/setup.php
@@ -10,12 +10,20 @@ function setup() {
 
 	define("NAME", "{{pkg.name}}");
 	define("VERSION", "{{pkg.version}}");
+	define("STAMP", "{{stamp}}");
 
 	define("BACKEND", "PHP");
 	define("API", true);
 	define("FILE_PREFIX", "_{{pkg.name}}");
 
 
+	// ADMIN
+	session_start();
+	define("AS_ADMIN_SESSION_KEY", "__H5AI_AS_ADMIN__");
+	define("AS_ADMIN", isset($_SESSION[AS_ADMIN_SESSION_KEY]) && $_SESSION[AS_ADMIN_SESSION_KEY] === true);
+	define("HAS_CUSTOM_PASSHASH", PASSHASH !== "da39a3ee5e6b4b0d3255bfef95601890afd80709");
+
+
 	// PHP
 	define("MIN_PHP_VERSION", "5.3.0");
 	define("HAS_PHP_VERSION", version_compare(PHP_VERSION, MIN_PHP_VERSION) >= 0);
@@ -38,6 +46,7 @@ function setup() {
 	}
 	define("SERVER_NAME", $server_name);
 	define("SERVER_VERSION", $server_version);
+	define("HAS_SERVER", in_array($server_name, array("apache", "lighttd", "nginx", "cherokee")));
 	define("HAS_WIN_OS", strtolower(substr(PHP_OS, 0, 3)) === "win");
 
 
diff --git a/src/_h5ai/server/php/inc/util.php b/src/_h5ai/server/php/inc/util.php
index f3e040d4..fc2d091f 100644
--- a/src/_h5ai/server/php/inc/util.php
+++ b/src/_h5ai/server/php/inc/util.php
@@ -1,9 +1,20 @@
 <?php
 
 
+function normalize_path($path, $trailing_slash = false) {
+
+	$path = preg_replace("#[\\\\/]+#", "/", $path);
+	return preg_match("#^(\w:)?/$#", $path) ? $path : (rtrim($path, "/") . ($trailing_slash ? "/" : ""));
+}
+
+
 function json_exit($obj = array()) {
 
-	$obj["code"] = 0;
+	if (!isset($obj["code"])) {
+		$obj["code"] = 0;
+	}
+
+	header("Content-type: application/json;charset=utf-8");
 	echo json_encode($obj);
 	exit;
 }
@@ -12,8 +23,7 @@ function json_exit($obj = array()) {
 function json_fail($code, $msg = "", $cond = true) {
 
 	if ($cond) {
-		echo json_encode(array("code" => $code, "msg" => $msg));
-		exit;
+		json_exit(array("code" => $code, "msg" => $msg));
 	}
 }
 
@@ -86,28 +96,10 @@ function exec_cmdv($cmdv) {
 }
 
 
-function delete_path($path, $recursive = false) {
 
-	if (is_file($path)) {
-		return @unlink($path);
-	}
-
-	if (is_dir($path)) {
-		if ($recursive === true && $dir = opendir($path)) {
-			while (($name = readdir($dir)) !== false) {
-				delete_path($path . "/" . $name);
-			}
-			closedir($dir);
-		}
-
-		return @rmdir($path);
-	}
-
-	return false;
-}
-
-
-// debug tools
+/*********************************************************************
+  Debug Tools
+*********************************************************************/
 
 function err_log($message, $obj = null) {
 
diff --git a/src/_h5ai/server/php/index.php b/src/_h5ai/server/php/index.php
index b5459e9c..bfd13c08 100644
--- a/src/_h5ai/server/php/index.php
+++ b/src/_h5ai/server/php/index.php
@@ -1,14 +1,19 @@
 <?php
 
-function normalize_path($path, $trailing_slash = false) {
 
-	$path = preg_replace("#\\\\+|/+#", "/", $path);
-	return preg_match("#^(\w:)?/$#", $path) ? $path : (rtrim($path, "/") . ($trailing_slash ? "/" : ""));
-}
+
+/*********************************************************************
+  SHA1 hash of the info page password, the preset password is the
+  empty string. You might change it to keep this information private.
+  Online hash generator: http://www.sha1.cz/
+*********************************************************************/
+define("PASSHASH", "da39a3ee5e6b4b0d3255bfef95601890afd80709");
+
+
 
 function normalized_require_once($lib) {
 
-	require_once(normalize_path(dirname(__FILE__) . "/inc/${lib}.php", false));
+	require_once(preg_replace("#[\\\\/]+#", "/", dirname(__FILE__) . "/inc/${lib}.php"));
 }
 
 normalized_require_once("util");
@@ -23,14 +28,9 @@ setup();
 $app = new App();
 
 if (has_request_param("action")) {
-
-	header("Content-type: application/json;charset=utf-8");
 	$api = new Api($app);
 	$api->apply();
-
 } else {
-
-	header("Content-type: text/html;charset=utf-8");
 	define("FALLBACK", $app->get_fallback());
 	normalized_require_once("page");
 }