diff --git a/tiddlers/content/labs/lab08/_Labs_08_Products.md b/tiddlers/content/labs/lab08/_Labs_08_Products.md
index c8f4a7d..432962c 100644
--- a/tiddlers/content/labs/lab08/_Labs_08_Products.md
+++ b/tiddlers/content/labs/lab08/_Labs_08_Products.md
@@ -21,14 +21,23 @@
  5. Add the following to the constructor (below what is already here).
 
       ```java
-      get("/api/products/{id}", ctx -> {
-        String id = ctx.path("id").value();
-        return productDao.searchById(id);
-      });
+	get("/api/products/{id}", ctx -> {
+		String id = ctx.path("id").value();
+		Product product = productDao.searchById(id);
+		
+		if(product == null) {
+			// no product with that ID found, so return a 404/Not Found error
+			return ctx.send(StatusCode.NOT_FOUND);
+		} else {
+			return product;
+		}
+	});
       ```
 
     The variable `ctx` holds the HTTP context which includes the request details.  In this case we are extracting a path parameter named `id` out of the context.
 
+    If a non-existent ID is provided then the service should return a `404/Not Found` response rather than a null.
+
  6. Stop and run. Append a product ID for a product that exists in your database to the end of the URI in the browser. You should see the details for a that product appear in the browser.
 
     The ID that you added to the end of the URI becomes the `id` path parameter.
diff --git a/tiddlers/content/labs/lab10/_Labs_10_Adding to the Cart.md.meta b/tiddlers/content/labs/lab10/_Labs_10_Adding to the Cart.md.meta
index 72a56ab..12bb801 100644
--- a/tiddlers/content/labs/lab10/_Labs_10_Adding to the Cart.md.meta
+++ b/tiddlers/content/labs/lab10/_Labs_10_Adding to the Cart.md.meta
@@ -1,4 +1,5 @@
 section: 4.1
 tags: lab10 lab
 title: /Labs/10/Adding to the Cart
+todo: Move items array creation into this mutation so that customer can still add to cart if they are not signed in
 type: text/x-markdown
\ No newline at end of file
diff --git a/tiddlers/content/reference/Web/_Reference_Web_HTTP Authentication.md b/tiddlers/content/reference/Web/_Reference_Web_HTTP Authentication.md
index a81e957..431e5bc 100644
--- a/tiddlers/content/reference/Web/_Reference_Web_HTTP Authentication.md
+++ b/tiddlers/content/reference/Web/_Reference_Web_HTTP Authentication.md
@@ -6,15 +6,16 @@
 
 * There is no authorisation --- if a user knows the URL for a page or API operation then they can navigate to it directly despite not signing in (a *path traversal* vulnerability)
 
-We can fix these issues by adding a filter to the Jooby filter chain that checks the authentication for all requests.  The advantage of using a filter is that our existing API (Jooby modules) does not need to be modified to add checks to all of the operations. 
-
-We have made life more difficult for ourselves by combining both the web service and the web client into the same service.  We have avoided some other security related problems by doing this (primarily Cross Origin Resource Sharing) .  
-Trying to get the auth process correct for both the service and the pages (and all the various dependencies of the pages) will be fiddly and mostly an exercise in frustration. We will get around this by only protecting the API --- the user will still be able to navigate directly to a page without authenticating but they will not see any data and will not be able to send data to the service so there should be no security problems caused by this (if you can think of a way to exploit this then let us know).
+We can fix these issues by adding a filter to the Jooby filter chain that checks the authentication for all requests.  The advantage of using a filter is that our existing API (the routes defined in the Jooby modules) does not need to be modified to add checks to all of the operations. 
 
 We will be using HTTP Basic Access Authentication (BAA) which is the simplest form of token based authentication.  Generally you will be using token based authentication when using web service APIs because all you need to do to authenticate every request is to make sure that the token has been added to each request (usually via a header).
 
 https://en.wikipedia.org/wiki/Basic_access_authentication
 
+We are not able to easily secure the web pages or any of the other static assets (CSS, JavaScript, etc) since the browser is downloading these for us and we are not able to add authentication headers to the HTTP requests that are made by the browser --- we can only control the requests that we make via JavaScript using Axios or whatever HTTP library we are using.  We can do this if we use the Vue router to manage the pages rather than using `window.location` for redirecting the browser, however this requires diving a lot deeper into the Vue ecosystem and we don't have sufficient time to cover that in this course.
+
+Not securing the static assets is not such a big problem --- all of the data that is being displayed is coming from the API, so if we protect the API then our site is still secure.
+
 Note that most forms of token based authentication are **not** secure when using plain HTTP (*CSRF* vulnerability).  You need to be using HTTPS if deploying a real system that uses token based authentication.  We will show you how to add transport encryption (HTTPS) in lab 13.
 
 We will be managing the token and sign out functions ourselves rather than relying on the browser to do it, so the problems with cached credentials and signing out as mentioned in the BAA Wikipedia page are not going to be a problem here.
@@ -51,6 +52,7 @@
 	import io.jooby.Extension;
 	import io.jooby.Jooby;
 	import io.jooby.StatusCode;
+	import io.jooby.exception.MissingValueException;
 	import org.slf4j.Logger;
 	import org.slf4j.LoggerFactory;
 	
@@ -60,7 +62,11 @@
 	import java.util.regex.Pattern;
 	
 	/**
-	 * <p>A Jooby extension that adds a HTTP Basic Access Authentication filter to the filter chain.</p>
+	 * <p>A Jooby extension that adds a HTTP Basic Access Authentication filter to
+	 * the filter chain.</p>
+	 *
+	 * <p>We intentionally omit sending a realm with the 401 response to stop the
+	 * browser from trying to handle the authentication itself.</p>
 	 *
 	 * <p>Install in Jooby using:</p>
 	 *
@@ -78,12 +84,16 @@
 	
 		/**
 		 * @param validator The validator to use to check the credentials.
-		 * @param protect   A Set that contains paths that should be protected.  Each path is a string that can include
-		 *                  regular expressions.  <p>Example path:</p> <pre><code>/api/.*</code></pre>
-		 * @param exclude   A Set that contains paths that should NOT be protected.  Use this to exclude paths that would
-		 *                  otherwise be included via wildcard paths in the <code>protect</code> set.  Each path is a string
-		 *                  that can include regular expressions.
-		 *                  <p>Any paths not included in either set will be ignored and not protected.</p>
+		 * @param protect   A Set that contains paths that should be protected.  Each
+		 *                  path is a string that can include regular expressions.
+		 *                  <p>Example path:</p> <pre><code>/api/.*</code></pre>
+		 * @param exclude   A Set that contains paths that should NOT be protected.
+		 *                  Use this to exclude paths that would otherwise be
+		 *                  included via wildcard paths in the <code>protect</code>
+		 *                  set.  Each path is a string that can include regular
+		 *                  expressions.
+		 *                  <p>Any paths not included in either set will be ignored
+		 *                  and not protected.</p>
 		 */
 		public BasicAccessAuth(CredentialsValidator validator, Set<String> protect, Set<String> exclude) {
 			this.validator = validator;
@@ -93,6 +103,7 @@
 	
 		@Override
 		public void install(Jooby application) throws Exception {
+	
 			application.decorator(next -> ctx -> {
 	
 				// get requested path
@@ -101,7 +112,7 @@
 				// check if path is in exclude set
 				for (String ex : exclude) {
 					if (path.matches(ex)) {
-						logger.debug("{} is in EXCLUDE set.", path);
+						logger.debug("EXCLUDE - {}", path);
 	
 						// if so, no auth required so continue to the next route
 						return next.apply(ctx);
@@ -111,9 +122,15 @@
 				// check if path is in the protect set
 				for (String pro : protect) {
 					if (path.matches(pro)) {
-						logger.debug("{} is in PROTECT set.", path);
+						logger.debug("PROTECT - {}", path);
 	
-						String authToken = ctx.header("Authorization").value();
+						String authToken;
+						try {
+							authToken = ctx.header("Authorization").value();
+						} catch (MissingValueException ex) {
+							// Authorization header missing - send 401/Unauthorized response
+							return ctx.setResponseHeader("WWW-Authenticate", "None").send(StatusCode.UNAUTHORIZED);
+						}
 	
 						// strip off the "Basic " part
 						String stripped = authToken.replace("Basic ", "");
@@ -150,6 +167,7 @@
 				}
 	
 				// path is not in protect or exclude set, so carry on to next route
+				logger.debug("IGNORE - {}", path);
 				return next.apply(ctx);
 			});
 		}