As you probably know, Memberstack uses Javascript in the front end to prevent logged-out visitors for accessing gated pages and hidden elements. If Memberstack fails to load (javascript disabled, browser issue, etc.) then your content will not be hidden.
That said, you can follow these best practices below to ensure your site is as secure as possible. Or, you can use our hosted content feature to 100% secure HTML content that stored in Memberstack.
- Never link directly from a public page to your gated content. Ideally, the only way a person can access gated content is by logging into their account and allowing Memberstack to redirect them. If you need to provide members with a link to access their content, you can use the data attribute
data-ms-action="login-redirect"
. That attribute will automatically populate with a member's login redirect if they are logged in. - Set your content visibility to display: none; by default. And then use the data-ms-bind:style attribute to change it to display block only after Memberstack has loaded.
- Make your URLs unguessable. This will prevent random visitors from landing on a page by mistake. For example,
/premium-299038902i3902n923n9023083/dashboard
- Remove/modify your sitemap so search engines and savy visitors can’t see what pages are available on your site. This is a best practice when using Memberstack anyway. Here's how to update your sitemap in Webflow.
If you do those 4 things, your site will be secured in the same way as Google Photos! Here’s one of my private photos to prove it.
Comments
2 comments
Hi Duncan Hamra,
I've been setting up my gated content on publicly viewable pages, as the purpose of it is that anyone can view the pages, but the 'ungated' content is like a preview snippet of the gated content, rather than a different page altogether.
Does that make it easy for someone to essentially 'hack' my gated content? How do I avoid this? I'm displaying blog content that on 'paid' blog pages shows a small portion that is freely available, and the rest is gated to promote signups to paid membership to read the full article......
I didn't particularly want to duplicate every paid article in entirety, but is that the only way to properly secure that data?
Cheers,
Andrew
Hey Andrew B, that all makes sense 👍
Yes, someone could disable Memberstack and then access your blog content (if they know it's there). I recommend hiding the premium content by default using CSS and then use the data-ms-bind:style="display:block" attribute to make it visible when Memberstack loads.
This is still not 100% secure, but in my experience it's secure enough for this kind of thing. Someone could, for example, pay for access download all of the content, and then issue a chargeback. On the bright side, this really never happens. At least I've never heard from any of our thousands of customers having this happen to them.
Please sign in to leave a comment.