tldr: We just fixed a bug around password protected sites returning http status 200 instead of 401
If you want to restrict access to your whole site (all paths) you can enable password protection (in Pro plan and above).
This will make your site show a password prompt when people are visiting for the first time in their session.
Until today those password prompt pages (or if someone gave a wrong password) would be returning a status code of
200 in the HTTP response. According to the HTTP spec a more appropriate status code would be
Human visitors viewing your site with a browser might not have seen this bug since browsers rarely handle status codes if a response body is present.
A machine doing a HTTP request to your password protected site might use the status code to evaluate whether the request was successful and might expect to get some specific data layout back when it is just getting the HTML of the password prompt for any path.
In order to make those machines happy we changed that status code.
Have fun using the feature with any client now!