diff --git a/server/social.coffee b/server/social.coffee
index fee1861..cf38c06 100644
--- a/server/social.coffee
+++ b/server/social.coffee
@@ -400,15 +400,17 @@ module.exports = exports = (log, loga, argv) ->
         false
 
       app.all '*', (req, res, next) ->
-        # todo: think about assets??
-        return next() unless /\.(json|html)$/.test req.url
+        # everything is restricted except site flag,
+        return next() if req.url is '/favicon.png'
+        return next() unless /\.(json|html)$/.test req.url or req.url.startsWith('/assets')
 
         # prepare to examine remote server's forwarded session
         res.header 'Access-Control-Allow-Origin', req.get('Origin')||'*'
         res.header 'Access-Control-Allow-Credentials', 'true'
-        return next() if isAuthorized(req) || allowedToView(req)
+        # protect unclaimed by adding "add owner isnt ''" - maybe via parameter
+        return next() if isAuthorized(req) or allowedToView(req)
         return res.redirect("/view/#{m[1]}") if m = req.url.match /\/(.*)\.html/
-        return res.json([]) if req.url == '/system/sitemap.json'
+        return res.json(['Login Required']) if req.url == '/system/sitemap.json'
 
         # not happy, explain why these pages can't be viewed
         problem = "This is a restricted wiki requires users to login to view pages. You do not have to be the site owner but you do need to login with a participating email address."