diff --git a/src/main/java/org/openautonomousconnection/oac2web/frontend/dashboard.java b/src/main/java/org/openautonomousconnection/oac2web/frontend/dashboard.java
index 035f1f7..2842c2c 100644
--- a/src/main/java/org/openautonomousconnection/oac2web/frontend/dashboard.java
+++ b/src/main/java/org/openautonomousconnection/oac2web/frontend/dashboard.java
@@ -42,6 +42,9 @@ public final class dashboard implements WebPage {
             return new WebResponsePacket(401, "text/plain", new HashMap<>(), Html.utf8("Invalid session user."));
         }
 
+        Oac2WebApp app = Oac2WebApp.get();
+        RegistrarDao dao = app.dao();
+
         String msg = null;
         String err = null;
 
@@ -50,9 +53,6 @@ public final class dashboard implements WebPage {
             String action = p.getOr("action", "").trim();
 
             try {
-                Oac2WebApp app = Oac2WebApp.get();
-                RegistrarDao dao = app.dao();
-
                 if ("create_infoname".equalsIgnoreCase(action)) {
                     String tln = p.get("tln");
                     String info = p.get("infoname");
@@ -90,6 +90,7 @@ public final class dashboard implements WebPage {
                         String value = p.get("value");
 
                         int ttl = p.getInt("ttl", 3600);
+
                         Integer priority = (p.get("priority") == null) ? null : p.getInt("priority", 0);
                         Integer port = (p.get("port") == null) ? null : p.getInt("port", 0);
                         Integer weight = (p.get("weight") == null) ? null : p.getInt("weight", 0);
@@ -110,12 +111,11 @@ public final class dashboard implements WebPage {
             }
         }
 
-        return render(ctx, userId, msg, err);
+        return render(userId, msg, err, dao);
     }
 
-    private WebResponsePacket render(WebPageContext ctx, int userId, String msg, String err) throws Exception {
-        Oac2WebApp app = Oac2WebApp.get();
-        RegistrarDao.InfoNameRow[] owned = app.dao().listOwnedInfoNames(userId);
+    private WebResponsePacket render(int userId, String msg, String err, RegistrarDao dao) throws Exception {
+        RegistrarDao.InfoNameRow[] owned = dao.listOwnedInfoNames(userId);
 
         StringBuilder list = new StringBuilder();
         if (owned.length == 0) {
@@ -151,7 +151,7 @@ public final class dashboard implements WebPage {
                   %s
 
                   <div class="row">
-                    <div class="col"><a href="/">Home</a></div>
+                    <div class="col"><a href="/ins/index.html">Home</a></div>
                   </div>
                 </div>
                 """.formatted(
@@ -164,12 +164,6 @@ public final class dashboard implements WebPage {
         String html = Html.page("Dashboard", body);
 
         Map<String, String> headers = new HashMap<>();
-        // keep the same session header visible to client, if needed
-        if (ctx.request.getHeaders() != null) {
-            String sess = ctx.request.getHeaders().get("session");
-            if (sess != null) headers.put("session", sess);
-        }
-
         return new WebResponsePacket(200, "text/html", headers, Html.utf8(html));
     }
 }
diff --git a/src/main/java/org/openautonomousconnection/oac2web/frontend/index.java b/src/main/java/org/openautonomousconnection/oac2web/frontend/index.java
index acadd4f..5cbe9be 100644
--- a/src/main/java/org/openautonomousconnection/oac2web/frontend/index.java
+++ b/src/main/java/org/openautonomousconnection/oac2web/frontend/index.java
@@ -21,9 +21,9 @@ public final class index implements WebPage {
                   <h2>OAC INS Registrar</h2>
                   <p class="muted">Server-side pages (oac2web). No extra endpoints.</p>
                   <div class="row">
-                    <div class="col"><a href="/login">Login</a></div>
-                    <div class="col"><a href="/register">Register</a></div>
-                    <div class="col"><a href="/dashboard">Dashboard</a></div>
+                    <div class="col"><a href="/ins/login">Login</a></div>
+                    <div class="col"><a href="/ins/register">Register</a></div>
+                    <div class="col"><a href="/ins/dashboard">Dashboard</a></div>
                   </div>
                   <p class="muted">POST parameters are expected via headers (e.g. <code>username</code>, <code>password</code>, <code>action</code>).</p>
                 </div>
diff --git a/src/main/java/org/openautonomousconnection/oac2web/frontend/login.java b/src/main/java/org/openautonomousconnection/oac2web/frontend/login.java
index 7fc0434..a293066 100644
--- a/src/main/java/org/openautonomousconnection/oac2web/frontend/login.java
+++ b/src/main/java/org/openautonomousconnection/oac2web/frontend/login.java
@@ -1,6 +1,8 @@
 package org.openautonomousconnection.oac2web.frontend;
 
-import org.openautonomousconnection.oac2web.utils.*;
+import org.openautonomousconnection.oac2web.utils.Oac2WebApp;
+import org.openautonomousconnection.oac2web.utils.RegistrarDao;
+import org.openautonomousconnection.oac2web.utils.Sha256;
 import org.openautonomousconnection.protocol.packets.v1_0_0.beta.web.WebResponsePacket;
 import org.openautonomousconnection.protocol.side.web.ProtocolWebServer;
 import org.openautonomousconnection.protocol.side.web.managers.SessionManager;
@@ -41,9 +43,9 @@ public final class login implements WebPage {
         }
 
         Oac2WebApp app = Oac2WebApp.get();
-        String usernameHash = Sha256.hex(username.trim());
 
-        RegistrarDao.UserRow u = app.dao().findUserByUsernameHash(usernameHash).orElse(null);
+        String usernameHashHex = Sha256.hex(username.trim());
+        RegistrarDao.UserRow u = app.dao().findUserByUsernameHash(usernameHashHex).orElse(null);
         if (u == null) return renderForm("Invalid credentials.");
 
         boolean ok = app.passwordHasher().verify(password, u.passwordEncoded());
@@ -59,7 +61,7 @@ public final class login implements WebPage {
 
         Map<String, String> headers = new HashMap<>();
         headers.put("session", session);
-        headers.put("location", "/dashboard");
+        headers.put("location", "/ins/dashboard");
         return new WebResponsePacket(302, "text/plain", headers, new byte[0]);
     }
 
@@ -70,8 +72,8 @@ public final class login implements WebPage {
                   %s
                   <p class="muted">Send a POST request with headers <code>username</code> and <code>password</code>.</p>
                   <div class="row">
-                    <div class="col"><a href="/register">Register</a></div>
-                    <div class="col"><a href="/">Home</a></div>
+                    <div class="col"><a href="/ins/register">Register</a></div>
+                    <div class="col"><a href="/ins/index.html">Home</a></div>
                   </div>
                 </div>
                 """.formatted(err == null ? "" : "<p class='err'>" + Html.esc(err) + "</p>");
diff --git a/src/main/java/org/openautonomousconnection/oac2web/frontend/register.java b/src/main/java/org/openautonomousconnection/oac2web/frontend/register.java
index 7df4aff..e4c9463 100644
--- a/src/main/java/org/openautonomousconnection/oac2web/frontend/register.java
+++ b/src/main/java/org/openautonomousconnection/oac2web/frontend/register.java
@@ -23,7 +23,7 @@ import java.util.Map;
  * - password
  *
  * Stores:
- * - users.username = sha256(username)
+ * - users.username = sha256(username) as HEX (64 chars)
  * - users.password = PBKDF2$sha256$...
  */
 @Route(path = "ins/register")
@@ -32,7 +32,7 @@ public final class register implements WebPage {
     @Override
     public WebResponsePacket handle(WebPageContext ctx) throws Exception {
         if (ctx.request.getMethod() != WebRequestMethod.POST) {
-            return renderForm(null, null);
+            return renderForm(null);
         }
 
         RequestParams p = new RequestParams(ctx.request);
@@ -41,16 +41,16 @@ public final class register implements WebPage {
         String password = p.get("password");
 
         if (username == null || username.isBlank() || password == null || password.isBlank()) {
-            return renderForm("Missing username/password (send via headers).", null);
+            return renderForm("Missing username/password (send via headers).");
         }
 
         Oac2WebApp app = Oac2WebApp.get();
 
-        String usernameHash = Sha256.hex(username.trim());
+        String usernameHashHex = Sha256.hex(username.trim());
         String passwordEnc = app.passwordHasher().hash(password);
 
         try {
-            int userId = app.dao().createUser(usernameHash, passwordEnc);
+            int userId = app.dao().createUser(usernameHashHex, passwordEnc);
 
             String ip = (ctx.client.getConnection().getSocket() != null && ctx.client.getConnection().getSocket().getInetAddress() != null)
                     ? ctx.client.getConnection().getSocket().getInetAddress().getHostAddress()
@@ -58,37 +58,31 @@ public final class register implements WebPage {
 
             String ua = ctx.request.getHeaders() != null ? ctx.request.getHeaders().getOrDefault("user-agent", "") : "";
 
-            // SessionManager user string: we store numeric users.id as string.
             String session = SessionManager.create(String.valueOf(userId), ip, ua, (ProtocolWebServer) ctx.client.getServer());
 
             Map<String, String> headers = new HashMap<>();
             headers.put("session", session);
-            headers.put("location", "/dashboard");
+            headers.put("location", "/ins/dashboard");
 
             return new WebResponsePacket(302, "text/plain", headers, new byte[0]);
 
         } catch (Exception e) {
-            // likely UNIQUE violation on users.username (hashed)
-            return renderForm("Register failed: " + e.getMessage(), null);
+            return renderForm("Register failed: " + e.getMessage());
         }
     }
 
-    private WebResponsePacket renderForm(String err, String ok) {
+    private WebResponsePacket renderForm(String err) {
         String body = """
                 <div class="card">
                   <h2>Register</h2>
                   %s
-                  %s
                   <p class="muted">Send a POST request with headers <code>username</code> and <code>password</code>.</p>
                   <div class="row">
-                    <div class="col"><a href="/login">Login</a></div>
-                    <div class="col"><a href="/">Home</a></div>
+                    <div class="col"><a href="/ins/login">Login</a></div>
+                    <div class="col"><a href="/ins/index.html">Home</a></div>
                   </div>
                 </div>
-                """.formatted(
-                err == null ? "" : "<p class='err'>" + Html.esc(err) + "</p>",
-                ok == null ? "" : "<p class='ok'>" + Html.esc(ok) + "</p>"
-        );
+                """.formatted(err == null ? "" : "<p class='err'>" + Html.esc(err) + "</p>");
 
         String html = Html.page("Register", body);
         return new WebResponsePacket(200, "text/html", new HashMap<>(), Html.utf8(html));
diff --git a/src/main/java/org/openautonomousconnection/oac2web/utils/Pbkdf2PasswordHasher.java b/src/main/java/org/openautonomousconnection/oac2web/utils/Pbkdf2PasswordHasher.java
index 77ba4d7..118e91b 100644
--- a/src/main/java/org/openautonomousconnection/oac2web/utils/Pbkdf2PasswordHasher.java
+++ b/src/main/java/org/openautonomousconnection/oac2web/utils/Pbkdf2PasswordHasher.java
@@ -7,9 +7,8 @@ import java.util.Objects;
 
 /**
  * PBKDF2 password hashing (PBKDF2WithHmacSHA256).
- *
  * Storage format:
- * PBKDF2$sha256$<iterations>$<saltHex>$<hashHex>
+ * {@code PBKDF2$sha256$ITERATIONS$SALT_HEX$HASH_HEX}
  */
 public final class Pbkdf2PasswordHasher {