diff --git a/app/assets/javascripts/access.coffee b/app/assets/javascripts/access.coffee
new file mode 100644
index 0000000..24f83d1
--- /dev/null
+++ b/app/assets/javascripts/access.coffee
@@ -0,0 +1,3 @@
+# Place all the behaviors and hooks related to the matching controller here.
+# All this logic will automatically be available in application.js.
+# You can use CoffeeScript in this file: http://coffeescript.org/
diff --git a/app/assets/stylesheets/access.scss b/app/assets/stylesheets/access.scss
new file mode 100644
index 0000000..dd37c7b
--- /dev/null
+++ b/app/assets/stylesheets/access.scss
@@ -0,0 +1,3 @@
+// Place all the styles related to the access controller here.
+// They will automatically be included in application.css.
+// You can use Sass (SCSS) here: http://sass-lang.com/
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 2b456bb..15e73be 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -1,3 +1,14 @@
 class ApplicationController < ActionController::Base
 	protect_from_forgery with: :exception
+
+	def authenticated?
+		session[:authenticated] == true
+	end
+
+	def must_be_authenticated
+		unless authenticated?
+			session[:redirect_to] = request.path
+			redirect_to login_path
+		end
+	end
 end
diff --git a/app/controllers/groups_controller.rb b/app/controllers/groups_controller.rb
index 618964b..0db248a 100644
--- a/app/controllers/groups_controller.rb
+++ b/app/controllers/groups_controller.rb
@@ -1,5 +1,6 @@
 class GroupsController < ApplicationController
 	before_action :set_group, only: %i[edit update destroy]
+	before_action :must_be_authenticated, only: %i[new create edit update destroy]
 
 	def new
 		@group = Group.new
diff --git a/app/controllers/site_controller.rb b/app/controllers/site_controller.rb
new file mode 100644
index 0000000..b5d8ecb
--- /dev/null
+++ b/app/controllers/site_controller.rb
@@ -0,0 +1,19 @@
+class SiteController < ApplicationController
+	def login
+	end
+
+	def auth
+		if params[:username] == ENV["username"] && params[:password] == ENV["password"]
+			session[:authenticated] = true
+			redirect_to session[:redirect_to] || diffs_path
+		else
+			render :login
+		end
+	end
+
+	def logout
+		session[:authenticated] = false
+		redirect_to :login
+	end
+
+end
diff --git a/app/controllers/sites_controller.rb b/app/controllers/sites_controller.rb
index 58d47b9..905118b 100644
--- a/app/controllers/sites_controller.rb
+++ b/app/controllers/sites_controller.rb
@@ -1,5 +1,6 @@
 class SitesController < ApplicationController
 	before_action :set_site, only: %i[show edit update destroy]
+	before_action :must_be_authenticated, only: %i[new create edit update destroy]
 
 	def index
 		@sites = Site.all.includes(:group).order(:group_id, :url)
diff --git a/app/controllers/templates_controller.rb b/app/controllers/templates_controller.rb
index 9b365ad..c15113e 100644
--- a/app/controllers/templates_controller.rb
+++ b/app/controllers/templates_controller.rb
@@ -1,5 +1,6 @@
 class TemplatesController < ApplicationController
 	before_action :set_template, only: %i[edit update destroy]
+	before_action :must_be_authenticated, only: %i[new create edit update destroy]
 
 	def new
 		@template = ::Template.new
diff --git a/app/helpers/access_helper.rb b/app/helpers/access_helper.rb
new file mode 100644
index 0000000..342c6ff
--- /dev/null
+++ b/app/helpers/access_helper.rb
@@ -0,0 +1,2 @@
+module AccessHelper
+end
diff --git a/app/views/config/index.html.erb b/app/views/config/index.html.erb
index 731cdd2..f49612f 100644
--- a/app/views/config/index.html.erb
+++ b/app/views/config/index.html.erb
@@ -12,8 +12,11 @@
 
 			<ul class="unstyled">
 			<% @groups.each do |group| %>
-				<li><%= link_to (group.name||group.id), edit_group_path(group) %> |
-					<%= link_to :remove, group, method: :delete, data: { confirm: "Are you sure you want to remove this group ("+(group.name||group.id)+") and all related data? This cannot be revert!" } %>
+				<li><%= link_to (group.name||group.id), edit_group_path(group) %>
+					<% if session[:authenticated] %>
+						 |
+						<%= link_to :remove, group, method: :delete, data: { confirm: "Are you sure you want to remove this group ("+(group.name||group.id)+") and all related data? This cannot be revert!" } %>
+					<% end %>
 				</li>
 				<% if group.targets %>
 					<ul>
@@ -64,8 +67,11 @@
 			<ul class="unstyled">
 				<% @templates.each do |template| %>
 					<li>
-						<%= link_to (template.name||template.id), edit_template_path(template) %> |
-						<%= link_to :remove, template, method: :delete, data: { confirm: "Are you sure you want to remove this template ("+(template.name||template.id)+") and all related data? This cannot be revert!" } %>
+						<%= link_to (template.name||template.id), edit_template_path(template) %>
+						<% if session[:authenticated] %>
+							 |
+							<%= link_to :remove, template, method: :delete, data: { confirm: "Are you sure you want to remove this template ("+(template.name||template.id)+") and all related data? This cannot be revert!" } %>
+						<% end %>
 					</li>
 					<% unless template.targets.empty? %>
 						<ul>
@@ -99,8 +105,11 @@
 				<% @sites.each do |site| %>
 					<li>
 						<%= link_to (site.name||site.url), edit_site_path(site) %> |
-						<%= link_to :show, site %> |
-						<%= link_to :remove, site, method: :delete, data: { confirm: "Are you sure you want to remove this site ("+(site.name||site.id)+") and all related data? This cannot be revert!" } %>
+						<%= link_to :show, site %>
+						<% if session[:authenticated] %>
+							 |
+							<%= link_to :remove, site, method: :delete, data: { confirm: "Are you sure you want to remove this site ("+(site.name||site.id)+") and all related data? This cannot be revert!" } %>
+						<% end %>
 					</li>
 					<% unless site.targets.empty? %>
 						<ul>
diff --git a/app/views/site/_form.html.erb b/app/views/site/_form.html.erb
new file mode 100644
index 0000000..d50f7e3
--- /dev/null
+++ b/app/views/site/_form.html.erb
@@ -0,0 +1,18 @@
+<%= form_with(local: true, class: "mts") do |form| %>
+
+	<fieldset class="mbs pas block">
+		<legend class="h4-like"><%= :login %></legend>
+		<div class="auto-grid has-gutter mbs">
+			<%= form.label :username, :username, class: 'txtright' %>:
+			<%= form.text_field :username %>
+
+			<%= form.label :password, :password, class: 'txtright' %>:
+			<%= form.password_field :password %>
+		</div>
+	</fieldset>
+
+	<div class="actions">
+		<%= form.submit :submit %>
+	</div>
+
+<% end %>
diff --git a/app/views/site/login.html.erb b/app/views/site/login.html.erb
new file mode 100644
index 0000000..472552f
--- /dev/null
+++ b/app/views/site/login.html.erb
@@ -0,0 +1,5 @@
+<h1 class="txtcenter"><%= :login %></h1>
+
+<%= render 'form' %>
+
+<%= link_to :back, diffs_path %>
diff --git a/config/routes.rb b/config/routes.rb
index 8607823..35412fe 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -4,4 +4,9 @@ Rails.application.routes.draw do
 	resources :config, only: %i[index]
 	resources :groups, only: %i[new create edit update destroy]
 	resources :templates, only: %i[new create edit update destroy]
+	# resources :access, only: %i[new create]
+
+	get '/login', to: 'site#login'
+	post '/login', to: 'site#auth'
+	get '/logout', to: 'site#logout'
 end
diff --git a/spec/controllers/access_controller_spec.rb b/spec/controllers/access_controller_spec.rb
new file mode 100644
index 0000000..cd92d72
--- /dev/null
+++ b/spec/controllers/access_controller_spec.rb
@@ -0,0 +1,5 @@
+require 'rails_helper'
+
+RSpec.describe AccessController, type: :controller do
+
+end
diff --git a/spec/helpers/access_helper_spec.rb b/spec/helpers/access_helper_spec.rb
new file mode 100644
index 0000000..5bbfede
--- /dev/null
+++ b/spec/helpers/access_helper_spec.rb
@@ -0,0 +1,15 @@
+require 'rails_helper'
+
+# Specs in this file have access to a helper object that includes
+# the AccessHelper. For example:
+#
+# describe AccessHelper do
+#   describe "string concat" do
+#     it "concats two strings with spaces" do
+#       expect(helper.concat_strings("this","that")).to eq("this that")
+#     end
+#   end
+# end
+RSpec.describe AccessHelper, type: :helper do
+  pending "add some examples to (or delete) #{__FILE__}"
+end