diff --git a/build.properties b/build.properties
index 3e6a8b20b..1278199c4 100644
--- a/build.properties
+++ b/build.properties
@@ -3,7 +3,7 @@ javacSource=1.5
 javacTarget=1.5
 
 # Release Configuration
-releaseVersion=0.584
+releaseVersion=0.585
 stdReleaseFile=yacy_v${releaseVersion}_${DSTAMP}_${releaseNr}.tar.gz
 embReleaseFile=yacy_emb_v${releaseVersion}_${DSTAMP}_${releaseNr}.tar.gz
 proReleaseFile=yacy_pro_v${releaseVersion}_${DSTAMP}_${releaseNr}.tar.gz
diff --git a/defaults/yacy.init b/defaults/yacy.init
index 2594b7072..ce9705462 100644
--- a/defaults/yacy.init
+++ b/defaults/yacy.init
@@ -367,7 +367,7 @@ adminAccountBase64MD5=
 # if the admin account password is still empty after 10 minutes a random
 # password is generated an access is then ONLY from localhost, which will cause
 # inaccessibility for installations on headless servers.
-adminAccountForLocalhost=false
+adminAccountForLocalhost=true
 
 # if you are running a principal peer, you must update the following variables
 # The upload method that should be used to upload the seed-list file to
diff --git a/source/de/anomic/http/httpHeader.java b/source/de/anomic/http/httpHeader.java
index 749358e31..2306ffcea 100644
--- a/source/de/anomic/http/httpHeader.java
+++ b/source/de/anomic/http/httpHeader.java
@@ -60,6 +60,7 @@ import java.io.FileOutputStream;
 import java.io.FileReader;
 import java.io.IOException;
 import java.net.MalformedURLException;
+import java.net.URL;
 import java.text.Collator;
 import java.util.Date;
 import java.util.HashMap;
@@ -394,6 +395,17 @@ public final class httpHeader extends TreeMap<String, String> implements Map<Str
         return null;
     }
     
+    public String referer() {
+        return (String) get(httpHeader.REFERER, "");
+    }
+    
+    public String refererHost() {
+        String  refererHost = "";
+        String referer = referer();
+        if (referer.length() > 0) try { refererHost = (new URL(referer)).getHost(); } catch (MalformedURLException e) {}
+        return refererHost;
+    }
+    
     public String mime() {
         return (String) get(httpHeader.CONTENT_TYPE, "application/octet-stream");
     }
diff --git a/source/de/anomic/http/httpd.java b/source/de/anomic/http/httpd.java
index 3505141f1..718c92d0d 100644
--- a/source/de/anomic/http/httpd.java
+++ b/source/de/anomic/http/httpd.java
@@ -256,8 +256,7 @@ public final class httpd implements serverHandler {
     }
     
     /**
-     * This funciton is used to determine if a persistent connection was requested by the
-     * client.
+     * This function is used to determine if a persistent connection was requested by the client.
      * @param header the received http-headers
      * @return <code>true</code> if a persistent connection was requested or <code>false</code> otherwise
      */
@@ -300,7 +299,7 @@ public final class httpd implements serverHandler {
         if (authorization == null) return 1;
         //if (authorization.length() < 6) return 1; // no authentication information given
         String adminAccountBase64MD5 = sw.getConfig(ADMIN_ACCOUNT_B64MD5, "");
-        if (adminAccountBase64MD5.length() == 0) return 2; // no passwrd stored
+        if (adminAccountBase64MD5.length() == 0) return 2; // no password stored
         if (adminAccountBase64MD5.equals(serverCodings.encodeMD5Hex(authorization))) return 4; // hard-authenticated, all ok
         return 1;
     }
diff --git a/source/de/anomic/http/httpdFileHandler.java b/source/de/anomic/http/httpdFileHandler.java
index fbf9ab350..b6fc58448 100644
--- a/source/de/anomic/http/httpdFileHandler.java
+++ b/source/de/anomic/http/httpdFileHandler.java
@@ -304,7 +304,8 @@ public final class httpdFileHandler {
             int pos = path.lastIndexOf(".");
             
             boolean adminAccountForLocalhost = sb.getConfigBool("adminAccountForLocalhost", false);
-            boolean accessFromLocalhost = clientIP.equals("localhost") || clientIP.startsWith("0:0:0:0:0:0:0:1");
+            String refererHost = requestHeader.refererHost();
+            boolean accessFromLocalhost = serverCore.isLocalhost(clientIP) && (refererHost.length() == 0 || serverCore.isLocalhost(refererHost));
             boolean grantedForLocalhost = adminAccountForLocalhost && accessFromLocalhost;
             boolean protectedPage = (path.substring(0,(pos==-1)?path.length():pos)).endsWith("_p");
             boolean accountEmpty = adminAccountBase64MD5.length() == 0;
@@ -640,6 +641,7 @@ public final class httpdFileHandler {
                                 if (authorization != null) {
                                     serverLog.logInfo("HTTPD", "dynamic log-in for account 'admin' in http file handler for path '" + path + "' from host '" + clientIP + "'");
                                     Integer attempts = (Integer) serverCore.bfHost.get(clientIP);
+                                    if (attempts != null) try {Thread.sleep(1000 * attempts.intValue());} catch (InterruptedException e) {}
                                     if (attempts == null)
                                         serverCore.bfHost.put(clientIP, new Integer(1));
                                     else
diff --git a/source/de/anomic/plasma/plasmaSwitchboard.java b/source/de/anomic/plasma/plasmaSwitchboard.java
index abf2dcfd9..0504a3105 100644
--- a/source/de/anomic/plasma/plasmaSwitchboard.java
+++ b/source/de/anomic/plasma/plasmaSwitchboard.java
@@ -149,6 +149,7 @@ import de.anomic.plasma.parser.ParserException;
 import de.anomic.server.serverAbstractSwitch;
 import de.anomic.server.serverBusyThread;
 import de.anomic.server.serverCodings;
+import de.anomic.server.serverCore;
 import de.anomic.server.serverDomains;
 import de.anomic.server.serverFileUtils;
 import de.anomic.server.serverInstantBusyThread;
@@ -2264,7 +2265,8 @@ public final class plasmaSwitchboard extends serverAbstractSwitch<IndexingStack.
         
         // authorization for localhost, only if flag is set to grant localhost access as admin
         String clientIP = (String) header.get(httpHeader.CONNECTION_PROP_CLIENTIP, "");
-        boolean accessFromLocalhost = clientIP.equals("localhost") || clientIP.startsWith("0:0:0:0:0:0:0:1");
+        String refererHost = header.refererHost();
+        boolean accessFromLocalhost = serverCore.isLocalhost(clientIP) && (refererHost.length() == 0 || serverCore.isLocalhost(refererHost));
         if (getConfigBool("adminAccountForLocalhost", false) && accessFromLocalhost) return 3; // soft-authenticated for localhost
         
         // get the authorization string from the header
diff --git a/source/de/anomic/server/serverCore.java b/source/de/anomic/server/serverCore.java
index f238b3931..25356234c 100644
--- a/source/de/anomic/server/serverCore.java
+++ b/source/de/anomic/server/serverCore.java
@@ -196,10 +196,13 @@ public final class serverCore extends serverAbstractBusyThread implements server
         InetAddress uAddr = s.getInetAddress();
         if (uAddr.isAnyLocalAddress()) return "localhost";
         String cIP = uAddr.getHostAddress();
-        if (cIP.startsWith("0:0:0:0:0:0:0:1")) cIP = "localhost";
-        if (cIP.equals("127.0.0.1")) cIP = "localhost";
+        if (isLocalhost(cIP)) cIP = "localhost";
         return cIP;
     }
+    
+    public static final boolean isLocalhost(String hostname) {
+        return hostname.equals("localhost") || hostname.equals("127.0.0.1") || hostname.startsWith("0:0:0:0:0:0:0:1");
+    }
 
     // class initializer
     public serverCore(