hugo config hugo config | more hugo config | less hugo config | grep security
Page contents
News
Ongoing
According to
the
Repology Hugo badges,
the
latest packaged Hugo
is
![[no network :(]](https://repology.org/badge/latest-versions/hugo-sitegen.svg?header=){kind=icon}
.
2023-December-30
As of today, this evolving[1]
article
has been on
the web
for
Introduction
In Hugo v0.91.0 and newer, you can specify a project’s security policy in a config file. Details are at gohugo.io/about/security-model/.
Default config.yaml security block
In March 2024, Hugo’s default security settings include the following.
security:
enableInlineShortcodes: false
exec:
allow:
- ^(dart-)?sass(-embedded)?$
- ^go$
- ^npx$
- ^postcss$
osEnv:
- (?i)^((HTTPS?|NO)_PROXY|PATH(EXT)?|APPDATA|TE?MP|TERM|GO\w+|(XDG_CONFIG_)?HOME|USERPROFILE|SSH_AUTH_SOCK|DISPLAY|LANG|SYSTEMDRIVE)$
funcs:
getenv:
- ^HUGO_
- ^CI$
http:
mediaTypes: null
methods:
- (?i)GET|POST
urls:
- .*
To view a Hugo project’s current security settings, run one of the following commands from the root of the project.
To view the most up-to-date default security settings, go to gohugo.io/about/security-model/#security-policy.
Infinite Ink’s config.yaml security block
For Infinite Ink’s Hugo project, I’ve changed some of the above default security settings to the following.
| |
ℹ | The
value none,
which is
used
in the above two emphasized lines,
blocks everything. |
Details are below.
enableInlineShortcodes
To learn about
line 2’s
enableInlineShortcodes,
see Infinite Ink’s
Hugo Shortcodes.
exec.allow
The Infinite Ink Hugo project
needs lines 5 and 6 because
both
asciidoctor
and
pandoc
are used as external[2]
markup renderers.
None of
dart-sass-embedded,
go,
npx,
and
postcss
are used by the Infinite Ink project so I do not specify
these
(which are part of Hugo’s default security policy)
here.
exec.osEnv
Because of
Asciidoctor
or
Scoop[3]
issues, I specify
.* (which is a regular expression that matches everything)
in line 8.
There
probably
is
a less extreme way to solve my
issues
and when I figure that out, I’ll
write about it
in this article.
funcs.getenv
Since
I have an environment variable named INFINITEINKROOT
that
I use
in Infinite Ink’s Hugo layout files,
I specify it in line 11.
Since I do not use any
environment variable
that starts with
HUGO_,
I
do not
specify
that here.
http.methods and http.urls
Since
the Infinite Ink website does not
currently
use HTTP to
get or post
remote data,
I
specify
the value
none
for these
config options.
See also
For more about Hugo, see Infinite Ink’s…
🔗 Linkified Section Headings in Hugo-Generated Web Pages (featuring Markdown and AsciiDoc examples)
TGIH: Themeless & Gitless Introduction to the Hugo SSG (a Hugo tutorial👩🏫)
Calling a Hugo Partial from a Hugo Shortcode (featuring “Share on Mastodon” code)
Compare Hugo’s Markup Languages (featuring a
renderasshortcode)⚖️Variable and Parameter Names in Hugo (featuring camelCase🐫 and snake_case🐍)
“Edit This Page” With
vscode://URIs (featuring a Hugo partial)Hugo’s
.RenderStringMethod (featuring AsciiDoc admonitions in Markdown)Transforming Text with Hugo (featuring
plainify,htmlUnescape, and more)
2. To learn about Hugo’s built-in and external markup renderers, see Infinite Ink’s Hugo’s Markup Languages.
3. On Windows, I install and update
hugo, pandoc, and ruby with Scoop. To learn about Scoop, see Infinite Ink’s Scoop: A Windows Package Manager (featuring Hugo, Figlet, and Ruby).
Share this page on Mastodon.