Hi All,
As reported here: https://community.nodebb.org/topic/12013/securing-nodebb-with-a-ssl-aws-linux2-letsencrypt-nginx-exploits
I wanted to make the forum private (no guests). Did everything listed here: https://community.nodebb.org/topic/2371/faq-how-to-make-your-forum-private and included JS that checks if the UUID==0 and kicks the user to the login page.
Unfortunately, the login page incorporates breadcrumb (I did not find anything in the ACP that allows removal thereof). Clicking home, loaded the home page from the cache (if existed). From the home page, all the site may be browsed even-though the user was logged out.
See for yourself - try to log out and in the login page simply press "home" on the breadcrumb 
Anyway it took some time, but I figured out how to fix this.
- Create a customized welcome page
- Create links in the welcome page to the site (into categories etc.).
The customized page will not have breadcrumb (that's good news).
Now for the fun part (hack hack hack):
The href string should take the following form:
<a onclick="window.location='/categories?t=' + Date.now();return false;" href="#">name of link</a>
A click on the link will generate a new href string that will not exist in the cache. The server will invalidate the request (returning the proper UUID=0) and the client will revert the user back to the login page.
Now, during my hacking I did find that the UUID is basically a counter. That is the UUID is not hashed. That's not promising... 
Will dig in further...
Have fun!
JJ.