Configuring Security in Hugo (featuring settings needed to use Asciidoctor, Pandoc, and Scoop-⁠installed apps)
Updated  2022-January-10

Page contents

News

2021-December-30  Published this evolving⁠[1] article.

 

Introduction

In Hugo v0.91.0 and newer, you can specify a security policy in a project’s config file. Details are at gohugo.io/about/security-model/.

 

Default config.yaml security section

In Hugo v0.91.2, the following is the default config.yaml security section (struct).

security:
  enableInlineShortcodes: false
  exec:
    allow:
    - ^dart-sass-embedded$
    - ^go$
    - ^npx$
    - ^postcss$
    osEnv:
    - (?i)^(PATH|PATHEXT|APPDATA|TMP|TEMP|TERM)$
  funcs:
    getenv:
    - ^HUGO_
  http:
    methods:
    - (?i)GET|POST
    urls:
    - .*

 

To view the most up-to-date default config.yaml, config.toml, and config.json, go to gohugo.io/about/security-model/#security-policy.

 

Infinite Ink’s config.yaml security section

For the Infinite Ink Hugo project, I’ve changed some of the above default security settings to the following.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
security:
  enableInlineShortcodes: true
  exec:
    allow:
    - ^asciidoctor
    - ^pandoc
    osEnv:
    - .*
  funcs:
    getenv:
    - ^INFINITEINKROOT$

 

Details are below.

 

enableInlineShortcodes

To learn about line 2’s enableInlineShortcodes, see Infinite Ink’s Hugo Shortcodes.

 

exec.allow

The Infinite Ink Hugo project needs lines 5 and 6 because both asciidoctor and pandoc are used as external⁠[2] markup renderers.

None of dart-sass-embedded, go, npx, and postcss are used by the Infinite Ink project so I do not specify these, which are part of Hugo’s default security policy, here.

 

exec.osEnv

Because of Scoop⁠[3] issues, I specify .* (which is a regular expression that matches everything) in line 8. There probably is a less extreme way to solve my Scoop issues and when I figure that out, I’ll write about it on this page.

 

funcs.getenv

Since I have an environment variable named INFINITEINKROOT that I use in Infinite Ink’s Hugo layout files, I specify it in line 11.

Since I do not use any HUGO_ environment variables, I do not specify that here.

 

See also

Endnotes


1. Many Infinite Ink articles, including this one, are evergreen and regularly updated.
2. To learn about Hugo’s built-in and external markup renderers, see Infinite Ink’s Hugo’s Markup Languages: AsciiDoc, HTML, Markdown, Org-mode, Pandoc, & reStructuredText.
3. I install and update hugo, pandoc, and ruby with Scoop. To learn about Scoop, see Infinite Ink’s Scoop: A Windows Package Manager (featuring Hugo, Figlet, and Ruby+Asciidoctor examples).

Comments and questions 📝 👍 👎 🤔

Your public comment or question might immediately improve this page or help me to (eventually) improve this page.