The built-in PageCatalog and ServiceStatus pages are visible in my production application and I don't want them to be, what can I do?
First off all, don't panic: these pages are marked with the @WhitelistAccessOnly annotation, which makes them invisible to clients that are not on the whitelist. Try accessing the page from a different workstation and you may find that the pages are not visible after all.
Sometimes, in production, a firewall or proxy may make it look like the client web browser originates from localhost; in that situation, you may want to disable the logic that puts localhost onto the whitelist. This determination is made by the contributions to the ClientWhitelist service. Tapestry makes a contribution with id "LocalhostOnly", which one of your modules can override: