login.js, which is fine to keep employees' casual visitors out but is
not real security (anyone who views the page source can find the
password). Swap this for a real auth provider (Netlify Identity, Auth0, or a
login endpoint on the bridge server) before storing anything sensitive behind it.