diff --git a/config/initializers/comfortable_mexican_sofa.rb b/config/initializers/comfortable_mexican_sofa.rb
index 61965ba9..63b134dd 100644
--- a/config/initializers/comfortable_mexican_sofa.rb
+++ b/config/initializers/comfortable_mexican_sofa.rb
@@ -19,7 +19,7 @@
   # Module responsible for public authentication. Similar to the above. You also
   # will have access to @cms_site, @cms_layout, @cms_page so you can use them in
   # your logic. Default module doesn't do anything.
-  #   config.public_auth = 'ComfyPublicAuthentication'
+  config.public_auth = "ComfyPublicAuthentication"
 
   # Module responsible for public authorization. It should have #authorize
   # method that returns true or false based on params and loaded instance
@@ -99,11 +99,17 @@
 # end
 
 # Uncomment this module and `config.public_auth` above to use custom public authentication
-# module ComfyPublicAuthentication
-#   def authenticate
-#     return true
-#   end
-# end
+module ComfyPublicAuthentication
+  def authenticate
+    protected_paths = ["secret"]
+
+    return unless protected_paths.any? { |protected_path| params["cms_path"]&.include?(protected_path) }
+
+    authenticate_or_request_with_http_basic do |username, password|
+      username == Rails.application.secrets.cms_user && password == Rails.application.secrets.cms_password
+    end
+  end
+end
 
 # Uncomment this module and `config.public_authorization` above to use custom public authorization
 # module ComfyPublicAuthorization
diff --git a/test/integration/cms_protected_pages_test.rb b/test/integration/cms_protected_pages_test.rb
new file mode 100644
index 00000000..ad068a97
--- /dev/null
+++ b/test/integration/cms_protected_pages_test.rb
@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+require "test_helper"
+
+class CmsProtectedPagesTest < ActionDispatch::IntegrationTest
+  setup do
+    # create a nested protected CMS page under "secret" slug
+    @secret_parent = Comfy::Cms::Page.create!(
+      site: Comfy::Cms::Site.first,
+      layout: Comfy::Cms::Layout.first,
+      slug: "secret",
+      label: "Secret Parent"
+    )
+
+    @page = Comfy::Cms::Page.create!(
+      site: Comfy::Cms::Site.first,
+      layout: Comfy::Cms::Layout.first,
+      slug: "protected-page",
+      label: "Protected Page",
+      parent: @secret_parent
+    )
+  end
+
+  test "visting protected page returns unauthorized" do
+    get comfy_cms_render_page_path(cms_path: "secret/protected-page")
+
+    assert_response :unauthorized
+  end
+
+  test "visting protected page with correct credentials returns success" do
+    get comfy_cms_render_page_path(cms_path: "secret/protected-page"), headers: admin_authorization_headers
+
+    assert_response :success
+  end
+end
diff --git a/test/integration/cms_test.rb b/test/integration/cms_test.rb
index 957aef6c..6e5697be 100644
--- a/test/integration/cms_test.rb
+++ b/test/integration/cms_test.rb
@@ -9,6 +9,7 @@ class CmsTest < ActionDispatch::IntegrationTest
     assert_response :success
     assert_select "h2", "Search the Library"
   end
+
   test "ask us page" do
     get comfy_cms_render_page_path(cms_path: "ask-us")