diff --git a/.gitignore b/.gitignore
index 47e21f1..35c289a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,6 +2,7 @@
 pyvenv.cfg
 .python-version
 .coverage
+coverage.json
 *.egg-info
 *.log
 *.mo
@@ -9,6 +10,7 @@ pyvenv.cfg
 *.swp
 # dirs
 bin/
+share/
 buildout-cache/
 develop-eggs/
 eggs/
diff --git a/CHANGES.rst b/CHANGES.rst
index a26d441..2558133 100644
--- a/CHANGES.rst
+++ b/CHANGES.rst
@@ -4,6 +4,10 @@ Changelog
 4.0.5 (unreleased)
 ------------------
 
+- Add X-ForceAuth header and iw.rejectanonymous
+  backport from 5.0.0 #48
+  [mamico]
+
 - Remove twitter feeds.
   [folix-01]
 
diff --git a/README.rst b/README.rst
index 815a6d5..1794d7b 100644
--- a/README.rst
+++ b/README.rst
@@ -178,6 +178,14 @@ e poi lanciare il buildout con ``bin/buildout``.
 
 Successivamente va installato dal pannello di controllo di Plone.
 
+Forzare autenticazione
+----------------------
+
+Se le richieste arrivano con un header X-ForceAuth Plone forza l'autenticazione per quelle richieste,
+il meccanismo è utile ad esempiop se si vuole fare accedere alla ZMI o alle interfacce Plone legacy
+senza però esporle pubblicamente.
+
+
 Test con Volto standalone
 -------------------------
 
diff --git a/base.cfg b/base.cfg
index b05e15b..4e1356b 100644
--- a/base.cfg
+++ b/base.cfg
@@ -99,6 +99,7 @@ mode = 755
 [versions]
 # Don't use a released version of design.plone.policy
 design.plone.policy =
+iw.rejectanonymous = 1.2.7
 
 [sources]
 # collective.volto.dropdownmenu = git https://github.com/collective/collective.volto.dropdownmenu.git pushurl=git@github.com:collective/collective.volto.dropdownmenu.git
diff --git a/setup.py b/setup.py
index 57d94c5..dd05da4 100644
--- a/setup.py
+++ b/setup.py
@@ -27,8 +27,8 @@
         "Framework :: Plone :: Addon",
         "Framework :: Plone :: 5.2",
         "Programming Language :: Python",
-        "Programming Language :: Python :: 3.6",
         "Programming Language :: Python :: 3.7",
+        "Programming Language :: Python :: 3.8",
         "Operating System :: OS Independent",
         "License :: OSI Approved :: GNU General Public License v2 (GPLv2)",
     ],
@@ -63,6 +63,7 @@
         "rer.customersatisfaction>=1.1.0",
         "redturtle.faq",
         "redturtle.rssservice",
+        "iw.rejectanonymous",
     ],
     extras_require={
         "test": [
@@ -79,7 +80,5 @@
     entry_points="""
     [z3c.autoinclude.plugin]
     target = plone
-    [console_scripts]
-    update_locale = design.plone.policy.locales.update:update_locale
     """,
 )
diff --git a/src/design/plone/policy/configure.zcml b/src/design/plone/policy/configure.zcml
index b212548..1d36e86 100644
--- a/src/design/plone/policy/configure.zcml
+++ b/src/design/plone/policy/configure.zcml
@@ -43,4 +43,10 @@
       name="design.plone.policy-hiddenprofiles"
       />
 
+  <subscriber
+      for="Products.CMFCore.interfaces.ISiteRoot
+           zope.traversing.interfaces.IBeforeTraverseEvent"
+      handler=".rejectanonymous.insertRejectAnonymousHook"
+      />
+
 </configure>
diff --git a/src/design/plone/policy/rejectanonymous.py b/src/design/plone/policy/rejectanonymous.py
new file mode 100644
index 0000000..ead07a6
--- /dev/null
+++ b/src/design/plone/policy/rejectanonymous.py
@@ -0,0 +1,8 @@
+# -*- coding: utf-8 -*-
+from iw.rejectanonymous import rejectAnonymous
+
+
+def insertRejectAnonymousHook(portal, event):
+    """force authentication for request with X-ForceAuth header"""
+    if event.request.getHeader("X-ForceAuth"):
+        event.request.post_traverse(rejectAnonymous, (portal, event.request))