Welcome to Headlockr
In today’s digital world, security is paramount. Protecting API systems has become a critical challenge for organizations, developers and businesses striving to safeguard sensitive data and meet strict security standards. That’s where Headlockr comes in—a robust multi-factor authentication (MFA) plugin, designed specifically for the headless CMS Strapi, to address these challenges head-on.
Headlockr enhances API security by offering flexible authentication methods, including SMS, TOTP (Time-Based One-Time Passwords), email, and passkeys, ensuring that organizations as well as developers can tailor their security levels to meet their specific needs. For added peace of mind, Headlockr also provides backup codes, trusted devices, MFA enforcement policies, and password health controls to balance recovery, usability, and stronger login security.
Why Strapi?
Traditional monolithic CMS platforms often struggle to meet the demands of modern web and app development. Limited flexibility, poor integration capabilities, and performance issues make them less suitable for today’s fast-paced, interconnected digital landscape. Enter Strapi—a leading headless CMS that empowers developers to decouple content management from frontend delivery, offering unparalleled flexibility, scalability, and performance.
By integrating seamlessly with Strapi, Headlockr adds an extra layer of security to this dynamic ecosystem, protecting APIs and ensuring that your organization remains secure in a constantly evolving digital environment.
🌟 Why Choose Headlockr?
- ✨ Admin Panel & Content API: We support full E2E MFA for both the Admin Panel & Content API of Strapi v4 and v5
- 🔒 Multi-Factor Authentication: Secure your Strapi admin panel and APIs with SMS, TOTP, email, backup codes, and passkeys.
- 🔑 Passkeys & Trusted Devices: Support modern passwordless login flows and reduce repeated MFA prompts on known devices.
- 🛂 MFA Enforcement: Enforce MFA per role, control allowed enrollment methods, and give users a configurable grace period.
- 🔁 Password Expiration: Require password rotation after a configurable number of days.
- 🧪 Breached Password Detection: Check passwords against the HIBP breach corpus during login and notify administrators when a compromised password is detected.
- 🚀 Plug-and-Play Integration: Get started quickly with no-code/low-code options.
- 🛠️ Developer-Friendly: (ETA next year) Extend functionality with APIs and SDKs for React and other frameworks.
- 📱 Companion App: Companion-based passkey flows are being rolled out and documented as a coming-soon experience.
- 📊 Advanced API Protection: (Coming soon!) MFA for your Strapi content APIs.
- 🛡️ Backup Codes: Regain access with one-time-use codes if your primary authentication methods fail.
- ⚡ Lightning-Fast Setup: Seamlessly integrate into your Strapi instance in minutes. Native Solution.
What’s Next?
Explore the documentation to get started with Headlockr. Whether you’re installing for the first time, configuring MFA methods, or looking to secure your admin panel and APIs, you’ll find everything you need right here.
Let’s make your Strapi instance more secure than ever!