hugo config hugo config | more hugo config | less hugo config | grep security
Page contents
News
Ongoing
According to
Repology,
the latest
packaged Hugo
is
.
2021-December-30 Published this evolving[1] article.
Introduction
In Hugo v0.91.0 and newer, you can specify a security policy in a project’s config file. Details are at gohugo.io/about/security-model/.
Default config.yaml security block
The following is Hugo’s default config.yaml security block.[2]
# Below is Hugo's default YAML security block.
security:
enableInlineShortcodes: false
exec:
allow:
- ^dart-sass-embedded$
- ^go$
- ^npx$
- ^postcss$
osEnv:
- (?i)^(PATH|PATHEXT|APPDATA|TMP|TEMP|TERM)$
funcs:
getenv:
- ^HUGO_
http:
methods:
- (?i)GET|POST
urls:
- .*
To view your Hugo project’s current security settings, run one of the following commands from the root of your project.
To view the most up-to-date default security block, go to gohugo.io/about/security-model/#security-policy.
Infinite Ink’s config.yaml security block
For Infinite Ink’s Hugo project, I’ve changed some of the above default security settings to the following.
| |
ℹ | The
value none
in the above two emphasized lines
blocks everything. |
Details are below.
enableInlineShortcodes
To learn about
line 2’s
enableInlineShortcodes,
see Infinite Ink’s
Hugo Shortcodes.
exec.allow
The Infinite Ink Hugo project
needs lines 5 and 6 because
both
asciidoctor
and
pandoc
are used as external[3]
markup renderers.
None of
dart-sass-embedded,
go,
npx,
and
postcss
are used by the Infinite Ink project so I do not specify
these
(which are part of Hugo’s default security policy)
here.
exec.osEnv
Because of
Scoop[4]
issues, I specify
.* (which is a regular expression that matches everything)
in line 8.
There
probably
is
a less extreme way to solve my Scoop issues
and when I figure that out, I’ll
write about it
in this article.
funcs.getenv
Since
I have an environment variable named INFINITEINKROOT
that
I use
in Infinite Ink’s Hugo layout files,
I specify it in line 11.
Since I do not use any
environment variable
that starts with
HUGO_,
I
do not
specify
that here.
http.methods and http.urls
Since
the Infinite Ink website does not
currently
use HTTP to
get or post
remote data,
I
specify
the value
none
for these
config options.
See also
For more about Hugo, see Infinite Ink’s…
A Way to Compare Hugo’s Markup Languages (featuring inline footnotes)
Hugo’s
.RenderStringMethod (featuring AsciiDoc admonitions in Markdown and Go HTML)Variable and Parameter Names in Hugo (featuring camelCase🐫 and snake_case🐍)
Hugo’s Markup Languages: AsciiDoc, HTML, Markdown,
Org-mode, Pandoc, and reStructuredTextHugo Tutorial: Themeless & Gitless Introduction to the Hugo SSG
🔗 Linkified Section Headings in Hugo-Generated Web Pages (featuring Markdown and AsciiDoc examples)
2. This type of YAML block is sometimes called a struct.
3. To learn about Hugo’s built-in and external markup renderers, see Infinite Ink’s Hugo’s Markup Languages: AsciiDoc, HTML, Markdown, Org-mode, Pandoc, and reStructuredText.
4. On Windows, I install and update
hugo, pandoc, and ruby with Scoop. To learn about Scoop, see Infinite Ink’s Scoop: A Windows Package Manager (featuring Hugo, Figlet, and Ruby examples).