Configuring Security in Hugo (featuring settings needed to use Asciidoctor, Pandoc, and Scoop-⁠installed apps)
Updated  2022-January-10

Page contents

News

2021-December-30  Published this evolving⁠[1] article.

 

Introduction

In Hugo v0.91.0 and newer, you can specify a security policy in a project’s config file. Details are at gohugo.io/about/security-model/.

 

Default config.yaml security section

In Hugo v0.91.2, the following is the default config.yaml security section (struct).

security:
  enableInlineShortcodes: false
  exec:
    allow:
    - ^dart-sass-embedded$
    - ^go$
    - ^npx$
    - ^postcss$
    osEnv:
    - (?i)^(PATH|PATHEXT|APPDATA|TMP|TEMP|TERM)$
  funcs:
    getenv:
    - ^HUGO_
  http:
    methods:
    - (?i)GET|POST
    urls:
    - .*

 

To view the most up-to-date default config.yaml, config.toml, and config.json, go to gohugo.io/about/security-model/#security-policy.

 

Infinite Ink’s config.yaml security section

For the Infinite Ink Hugo project, I’ve changed some of the above default security settings to the following.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

security:
  enableInlineShortcodes: true
  exec:
    allow:
    - ^asciidoctor
    - ^pandoc
    osEnv:
    - .*
  funcs:
    getenv:
    - ^INFINITEINKROOT$

 

Details are below.

 

enableInlineShortcodes

To learn about line 2’s enableInlineShortcodes, see Infinite Ink’s Hugo Shortcodes.

 

exec.allow

The Infinite Ink Hugo project needs lines 5 and 6 because both asciidoctor and pandoc are used as external⁠[2] markup renderers.

None of dart-sass-embedded, go, npx, and postcss are used by the Infinite Ink project so I do not specify these, which are part of Hugo’s default security policy, here.

 

exec.osEnv

Because of Scoop⁠[3] issues, I specify .* (which is a regular expression that matches everything) in line 8. There probably is a less extreme way to solve my Scoop issues and when I figure that out, I’ll write about it on this page.

 

funcs.getenv

Since I have an environment variable named INFINITEINKROOT that I use in Infinite Ink’s Hugo layout files, I specify it in line 11.

Since I do not use any HUGO_ environment variables, I do not specify that here.

 

See also

For more about Hugo, see Infinite Ink’s…

 

Endnotes

1. Many Infinite Ink articles, including this one, are evergreen and regularly updated.
2. To learn about Hugo’s built-in and external markup renderers, see Infinite Ink’s Hugo’s Markup Languages: AsciiDoc, HTML, Markdown, Org-mode, Pandoc, & reStructuredText.
3. I install and update hugo, pandoc, and ruby with Scoop. To learn about Scoop, see Infinite Ink’s Scoop: A Windows Package Manager (featuring Hugo, Figlet, and Ruby+Asciidoctor examples).

Comments and questions 📝 👍 👎 🤔

Your public comment or question might immediately improve this page or help me to (eventually) improve this page.