diff --git a/sonoff/_changelog.ino b/sonoff/_changelog.ino
index fdf73fdc7..aa6e8bfae 100644
--- a/sonoff/_changelog.ino
+++ b/sonoff/_changelog.ino
@@ -1,4 +1,7 @@
-/* 6.2.1.4 20180916
+/* 6.2.1.5 20180921
+ * Add authentication to HTTP web pages
+ *
+ * 6.2.1.4 20180916
  * Add command SerialSend5 to send raw serial data like "A5074100545293"
  * Update MCP230xx driver
  * Update Czech translation
diff --git a/sonoff/sonoff_version.h b/sonoff/sonoff_version.h
index f5f94dad1..43253e40f 100644
--- a/sonoff/sonoff_version.h
+++ b/sonoff/sonoff_version.h
@@ -20,7 +20,7 @@
 #ifndef _SONOFF_VERSION_H_
 #define _SONOFF_VERSION_H_
 
-#define VERSION            0x06020104
+#define VERSION            0x06020105
 
 #define D_PROGRAMNAME      "Sonoff-Tasmota"
 #define D_AUTHOR           "Theo Arends"
diff --git a/sonoff/xdrv_02_webserver.ino b/sonoff/xdrv_02_webserver.ino
index 6cadb952f..5182b7051 100644
--- a/sonoff/xdrv_02_webserver.ino
+++ b/sonoff/xdrv_02_webserver.ino
@@ -29,8 +29,6 @@
 uint8_t *efm8bb1_update = NULL;
 #endif  // USE_RF_FLASH
 
-#define D_TASMOTA_TOKEN "Tasmota-Token"
-
 enum UploadTypes { UPL_TASMOTA, UPL_SETTINGS, UPL_EFM8BB1 };
 
 const char HTTP_HEAD[] PROGMEM =
@@ -58,17 +56,13 @@ const char HTTP_HEAD[] PROGMEM =
     "eb('s1').value=l.innerText||l.textContent;"
     "eb('p1').focus();"
   "}"
-  "function lx(){"
-    "if(to==1){"
-      "if(tp<30){"
-        "tp++;"
-        "lt=setTimeout(lx,33);"    // Wait for token from server
-      "}else{"
-        "lt=setTimeout(la,1355);"  // Discard action and retry
-      "}"
-      "return;"
+  "function la(p){"
+    "var a='';"
+    "if(la.arguments.length==1){"
+      "a=p;"
+      "clearTimeout(lt);"
     "}"
-    "if(x!=null){x.abort();}"      // Abort if no response within 2 seconds (happens on restart 1)
+    "if(x!=null){x.abort();}"    // Abort if no response within 2 seconds (happens on restart 1)
     "x=new XMLHttpRequest();"
     "x.onreadystatechange=function(){"
       "if(x.readyState==4&&x.status==200){"
@@ -76,32 +70,15 @@ const char HTTP_HEAD[] PROGMEM =
         "eb('l1').innerHTML=s;"
       "}"
     "};"
-    "x.open('GET','ay'+pc,true);" // Async request
-    "x.setRequestHeader('" D_TASMOTA_TOKEN "',to);"
-    "x.send();"                    // Perform command if available and get updated information
-    "pc='';"
-    "lt=setTimeout(la,2345-(tp*33));"
-  "}"
-  "function la(p){"
-    "if(la.arguments.length==1){"
-      "pc='?'+p;"
-      "clearTimeout(lt);"
-    "}else{pc='';}"
-    "to=1;tp=0;"
-    "if(x!=null){x.abort();}"      // Abort if no response within 2 seconds (happens on restart 1)
-    "x=new XMLHttpRequest();"
-    "x.onreadystatechange=function(){"
-      "if(x.readyState==4&&x.status==200){to=x.getResponseHeader('" D_TASMOTA_TOKEN "');}else{to=1;}"
-    "};"
-    "x.open('GET','az',true);"     // Async request
-    "x.send();"                    // Get token from server
-    "lx();"
+    "x.open('GET','ay'+a,true);"
+    "x.send();"
+    "lt=setTimeout(la,2345);"
   "}"
   "function lb(p){"
-    "la('d='+p);"
+    "la('?d='+p);"
   "}"
   "function lc(p){"
-    "la('c='+p);"
+    "la('?t='+p);"
   "}";
 
 const char HTTP_HEAD_STYLE[] PROGMEM =
@@ -340,7 +317,7 @@ const char HTTP_END[] PROGMEM =
   "</body>"
   "</html>";
 
-const char HTTP_DEVICE_CONTROL[] PROGMEM = "<td style='width:%d%%'><button onclick='la(\"o=%d\");'>%s%s</button></td>";
+const char HTTP_DEVICE_CONTROL[] PROGMEM = "<td style='width:%d%%'><button onclick='la(\"?o=%d\");'>%s%s</button></td>";
 const char HTTP_DEVICE_STATE[] PROGMEM = "%s<td style='width:%d{c}%s;font-size:%dpx'>%s</div></td>";  // {c} = %'><div style='text-align:center;font-weight:
 
 const char HDR_CTYPE_PLAIN[] PROGMEM = "text/plain";
@@ -349,8 +326,6 @@ const char HDR_CTYPE_XML[] PROGMEM = "text/xml";
 const char HDR_CTYPE_JSON[] PROGMEM = "application/json";
 const char HDR_CTYPE_STREAM[] PROGMEM = "application/octet-stream";
 
-const char HDR_TASMOTA_TOKEN[] PROGMEM = D_TASMOTA_TOKEN;
-
 #define DNS_PORT 53
 enum HttpOptions {HTTP_OFF, HTTP_USER, HTTP_ADMIN, HTTP_MANAGER};
 
@@ -366,7 +341,6 @@ uint8_t upload_progress_dot_count;
 uint8_t config_block_count = 0;
 uint8_t config_xor_on = 0;
 uint8_t config_xor_on_set = CONFIG_FILE_XOR;
-long ajax_token = 1;
 
 // Helper function to avoid code duplication (saves 4k Flash)
 static void WebGetArg(const char* arg, char* out, size_t max)
@@ -400,11 +374,10 @@ void StartWebserver(int type, IPAddress ipweb)
       WebServer->on("/up", HandleUpgradeFirmware);
       WebServer->on("/u1", HandleUpgradeFirmwareStart);  // OTA
       WebServer->on("/u2", HTTP_POST, HandleUploadDone, HandleUploadLoop);
+      WebServer->on("/u2", HTTP_OPTIONS, HandlePreflightRequest);
       WebServer->on("/cs", HandleConsole);
       WebServer->on("/ax", HandleAjaxConsoleRefresh);
       WebServer->on("/ay", HandleAjaxStatusRefresh);
-      WebServer->on("/az", HandleToken);
-      WebServer->on("/u2", HTTP_OPTIONS, HandlePreflightRequest);
       WebServer->on("/cm", HandleHttpCommand);
       WebServer->on("/rb", HandleRestart);
 #ifndef BE_MINIMAL
@@ -509,6 +482,15 @@ void SetHeader()
 #endif
 }
 
+bool WebAuthenticate(void)
+{
+  if (Settings.web_password[0] != 0) {
+    return WebServer->authenticate(WEB_USERNAME, Settings.web_password);
+  } else {
+    return true;
+  }
+}
+
 void ShowPage(String &page, bool auth)
 {
   if (auth && (Settings.web_password[0] != 0) && !WebServer->authenticate(WEB_USERNAME, Settings.web_password)) {
@@ -619,7 +601,7 @@ void HandleRoot()
         if (idx > 0) { page += F("</tr><tr>"); }
         for (byte j = 0; j < 4; j++) {
           idx++;
-          snprintf_P(mqtt_data, sizeof(mqtt_data), PSTR("<td style='width:25%'><button onclick='la(\"k=%d\");'>%d</button></td>"), idx, idx);
+          snprintf_P(mqtt_data, sizeof(mqtt_data), PSTR("<td style='width:25%'><button onclick='la(\"?k=%d\");'>%d</button></td>"), idx, idx);
           page += mqtt_data;
         }
       }
@@ -634,34 +616,13 @@ void HandleRoot()
   }
 }
 
-void HandleToken()
-{
-  char token[11];
-
-  ajax_token = random(2, 0x7FFFFFFF);
-  snprintf_P(token, sizeof(token), PSTR("%u"), ajax_token);
-  SetHeader();
-  WebServer->sendHeader(FPSTR(HDR_TASMOTA_TOKEN), token);
-  snprintf_P(token, sizeof(token), PSTR("%u"), random(0x7FFFFFFF));
-  WebServer->send(200, FPSTR(HDR_CTYPE_HTML), token);
-
-  const char* header_key[] = { D_TASMOTA_TOKEN };
-  WebServer->collectHeaders(header_key, 1);
-}
-
 void HandleAjaxStatusRefresh()
 {
+  if (!WebAuthenticate()) { return WebServer->requestAuthentication(); }
+
   char svalue[80];
   char tmp[100];
 
-  if (WebServer->header(FPSTR(HDR_TASMOTA_TOKEN)).toInt() != ajax_token) {
-    snprintf_P(mqtt_data, sizeof(mqtt_data), PSTR(D_FILE_NOT_FOUND));
-    SetHeader();
-    WebServer->send(404, FPSTR(HDR_CTYPE_PLAIN), mqtt_data);
-    return;
-  }
-  ajax_token = 1;
-
   WebGetArg("o", tmp, sizeof(tmp));
   if (strlen(tmp)) {
     ShowWebSource(SRC_WEBGUI);
@@ -736,6 +697,7 @@ boolean HttpUser()
 void HandleConfiguration()
 {
   if (HttpUser()) { return; }
+  if (!WebAuthenticate()) { return WebServer->requestAuthentication(); }
   AddLog_P(LOG_LEVEL_DEBUG, S_LOG_HTTP, S_CONFIGURATION);
 
   String page = FPSTR(HTTP_HEAD);
@@ -759,6 +721,7 @@ void HandleConfiguration()
 void HandleModuleConfiguration()
 {
   if (HttpUser()) { return; }
+  if (!WebAuthenticate()) { return WebServer->requestAuthentication(); }
   char stemp[20];
   uint8_t midx;
 
@@ -829,6 +792,7 @@ void HandleWifiConfiguration()
 void HandleWifi(boolean scan)
 {
   if (HttpUser()) { return; }
+  if (!WebAuthenticate()) { return WebServer->requestAuthentication(); }
 
   AddLog_P(LOG_LEVEL_DEBUG, S_LOG_HTTP, S_CONFIGURE_WIFI);
 
@@ -925,6 +889,7 @@ void HandleWifi(boolean scan)
 void HandleMqttConfiguration()
 {
   if (HttpUser()) { return; }
+  if (!WebAuthenticate()) { return WebServer->requestAuthentication(); }
   AddLog_P(LOG_LEVEL_DEBUG, S_LOG_HTTP, S_CONFIGURE_MQTT);
 
   String page = FPSTR(HTTP_HEAD);
@@ -948,6 +913,7 @@ void HandleMqttConfiguration()
 void HandleLoggingConfiguration()
 {
   if (HttpUser()) { return; }
+  if (!WebAuthenticate()) { return WebServer->requestAuthentication(); }
   AddLog_P(LOG_LEVEL_DEBUG, S_LOG_HTTP, S_CONFIGURE_LOGGING);
 
   String page = FPSTR(HTTP_HEAD);
@@ -995,6 +961,7 @@ void HandleLoggingConfiguration()
 void HandleOtherConfiguration()
 {
   if (HttpUser()) { return; }
+  if (!WebAuthenticate()) { return WebServer->requestAuthentication(); }
   AddLog_P(LOG_LEVEL_DEBUG, S_LOG_HTTP, S_CONFIGURE_OTHER);
   char stemp[40];
 
@@ -1032,6 +999,7 @@ void HandleOtherConfiguration()
 void HandleBackupConfiguration()
 {
   if (HttpUser()) { return; }
+  if (!WebAuthenticate()) { return WebServer->requestAuthentication(); }
   AddLog_P(LOG_LEVEL_DEBUG, PSTR(D_LOG_HTTP D_BACKUP_CONFIGURATION));
 
   if (!SettingsBufferAlloc()) { return; }
@@ -1067,6 +1035,7 @@ void HandleBackupConfiguration()
 void HandleSaveSettings()
 {
   if (HttpUser()) { return; }
+  if (!WebAuthenticate()) { return WebServer->requestAuthentication(); }
 
   char stemp[TOPSZ];
   char stemp2[TOPSZ];
@@ -1232,6 +1201,7 @@ void HandleSaveSettings()
 void HandleResetConfiguration()
 {
   if (HttpUser()) { return; }
+  if (!WebAuthenticate()) { return WebServer->requestAuthentication(); }
 
   char svalue[33];
 
@@ -1252,6 +1222,7 @@ void HandleResetConfiguration()
 void HandleRestoreConfiguration()
 {
   if (HttpUser()) { return; }
+  if (!WebAuthenticate()) { return WebServer->requestAuthentication(); }
   AddLog_P(LOG_LEVEL_DEBUG, S_LOG_HTTP, S_RESTORE_CONFIGURATION);
 
   String page = FPSTR(HTTP_HEAD);
@@ -1270,6 +1241,7 @@ void HandleRestoreConfiguration()
 void HandleInformation()
 {
   if (HttpUser()) { return; }
+  if (!WebAuthenticate()) { return WebServer->requestAuthentication(); }
   AddLog_P(LOG_LEVEL_DEBUG, S_LOG_HTTP, S_INFORMATION);
 
   char stopic[TOPSZ];
@@ -1386,6 +1358,7 @@ void HandleInformation()
 void HandleUpgradeFirmware()
 {
   if (HttpUser()) { return; }
+  if (!WebAuthenticate()) { return WebServer->requestAuthentication(); }
   AddLog_P(LOG_LEVEL_DEBUG, S_LOG_HTTP, S_FIRMWARE_UPGRADE);
 
   String page = FPSTR(HTTP_HEAD);
@@ -1405,6 +1378,7 @@ void HandleUpgradeFirmware()
 void HandleUpgradeFirmwareStart()
 {
   if (HttpUser()) { return; }
+  if (!WebAuthenticate()) { return WebServer->requestAuthentication(); }
   char svalue[100];
 
   AddLog_P(LOG_LEVEL_DEBUG, PSTR(D_LOG_HTTP D_UPGRADE_STARTED));
@@ -1432,6 +1406,7 @@ void HandleUpgradeFirmwareStart()
 void HandleUploadDone()
 {
   if (HttpUser()) { return; }
+  if (!WebAuthenticate()) { return WebServer->requestAuthentication(); }
   AddLog_P(LOG_LEVEL_DEBUG, PSTR(D_LOG_HTTP D_UPLOAD_DONE));
 
   char error[100];
@@ -1684,6 +1659,7 @@ void HandlePreflightRequest()
 void HandleHttpCommand()
 {
   if (HttpUser()) { return; }
+//  if (!WebAuthenticate()) { return WebServer->requestAuthentication(); }
   char svalue[INPUT_BUFFER_SIZE];  // Large to serve Backlog
 
   AddLog_P(LOG_LEVEL_DEBUG, PSTR(D_LOG_HTTP D_COMMAND));
@@ -1741,6 +1717,7 @@ void HandleHttpCommand()
 void HandleConsole()
 {
   if (HttpUser()) { return; }
+  if (!WebAuthenticate()) { return WebServer->requestAuthentication(); }
   AddLog_P(LOG_LEVEL_DEBUG, S_LOG_HTTP, S_CONSOLE);
 
   String page = FPSTR(HTTP_HEAD);
@@ -1756,6 +1733,7 @@ void HandleConsole()
 void HandleAjaxConsoleRefresh()
 {
   if (HttpUser()) { return; }
+  if (!WebAuthenticate()) { return WebServer->requestAuthentication(); }
   char svalue[INPUT_BUFFER_SIZE];  // Large to serve Backlog
   byte cflg = 1;
   byte counter = 0;                // Initial start, should never be 0 again
@@ -1812,6 +1790,7 @@ void HandleAjaxConsoleRefresh()
 void HandleRestart()
 {
   if (HttpUser()) { return; }
+  if (!WebAuthenticate()) { return WebServer->requestAuthentication(); }
   AddLog_P(LOG_LEVEL_DEBUG, S_LOG_HTTP, S_RESTART);
 
   String page = FPSTR(HTTP_HEAD);
diff --git a/sonoff/xdrv_07_domoticz.ino b/sonoff/xdrv_07_domoticz.ino
index a7eb7708f..a30f79439 100644
--- a/sonoff/xdrv_07_domoticz.ino
+++ b/sonoff/xdrv_07_domoticz.ino
@@ -375,10 +375,8 @@ const char S_CONFIGURE_DOMOTICZ[] PROGMEM = D_CONFIGURE_DOMOTICZ;
 
 void HandleDomoticzConfiguration()
 {
-  if (HTTP_USER == webserver_state) {
-    HandleRoot();
-    return;
-  }
+  if (HttpUser()) { return; }
+  if (!WebAuthenticate()) { return WebServer->requestAuthentication(); }
   AddLog_P(LOG_LEVEL_DEBUG, S_LOG_HTTP, S_CONFIGURE_DOMOTICZ);
 
   char stemp[32];
diff --git a/sonoff/xdrv_09_timers.ino b/sonoff/xdrv_09_timers.ino
index 0652f3b53..66bf93614 100644
--- a/sonoff/xdrv_09_timers.ino
+++ b/sonoff/xdrv_09_timers.ino
@@ -676,10 +676,8 @@ const char S_CONFIGURE_TIMER[] PROGMEM = D_CONFIGURE_TIMER;
 
 void HandleTimerConfiguration()
 {
-  if (HTTP_USER == webserver_state) {
-    HandleRoot();
-    return;
-  }
+  if (HttpUser()) { return; }
+  if (!WebAuthenticate()) { return WebServer->requestAuthentication(); }
   AddLog_P(LOG_LEVEL_DEBUG, S_LOG_HTTP, S_CONFIGURE_TIMER);
 
   String page = FPSTR(HTTP_HEAD);
diff --git a/sonoff/xdrv_11_knx.ino b/sonoff/xdrv_11_knx.ino
index 3897caac7..88260b23c 100644
--- a/sonoff/xdrv_11_knx.ino
+++ b/sonoff/xdrv_11_knx.ino
@@ -803,15 +803,13 @@ const char HTTP_FORM_KNX_ADD_TABLE_ROW2[] PROGMEM =
 
 void HandleKNXConfiguration()
 {
+  if (HttpUser()) { return; }
+  if (!WebAuthenticate()) { return WebServer->requestAuthentication(); }
+  AddLog_P(LOG_LEVEL_DEBUG, S_LOG_HTTP, S_CONFIGURE_KNX);
+
   char tmp[100];
   String stmp;
 
-  if (HTTP_USER == webserver_state) {
-    HandleRoot();
-    return;
-  }
-  AddLog_P(LOG_LEVEL_DEBUG, S_LOG_HTTP, S_CONFIGURE_KNX);
-
   if ( WebServer->hasArg("save") ) {
     KNX_Save_Settings();
     HandleConfiguration();