« Hugo Shortcodes
  
Compartmentalizing Hugo Settings »

Configuring Security in Hugo (featuring settings needed to use Asciidoctor and Pandoc)
Updated  2022-September-13

Page contents

News

Ongoing  According to Repology, the latest packaged Hugo is version newest packaged version of Hugo. To keep up with Hugo releases, see github.com/gohugoio/hugo/releases, discourse.gohugo.io/c/announcements, or twitter.com/@GoHugoIO.

2021-December-30  Published this evolving⁠[1] article.

 

Introduction

In Hugo v0.91.0 and newer, you can specify a security policy in a project’s config file. Details are at gohugo.io/about/security-model/.

 

Default config.yaml security block

The following is Hugo’s default config.yaml security block.⁠[2]

# Below is Hugo's default YAML security block.
security:
  enableInlineShortcodes: false
  exec:
    allow:
    - ^dart-sass-embedded$
    - ^go$
    - ^npx$
    - ^postcss$
    osEnv:
    - (?i)^(PATH|PATHEXT|APPDATA|TMP|TEMP|TERM)$
  funcs:
    getenv:
    - ^HUGO_
  http:
    methods:
    - (?i)GET|POST
    urls:
    - .*

 

To view your Hugo project’s current security settings, run one of the following commands from the root of your project.

hugo config
hugo config | more
hugo config | less
hugo config | grep security

To view the most up-to-date default security block, go to gohugo.io/about/security-model/#security-policy.

 

Infinite Ink’s config.yaml security block

For Infinite Ink’s Hugo project, I’ve changed some of the above default security settings to the following.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
security:
  enableInlineShortcodes: true
  exec:
    allow:
    - ^asciidoctor
    - ^pandoc
    osEnv:
    - .*
  funcs:
    getenv:
    - ^INFINITEINKROOT$
  http:
    methods:
    - none
    urls:
    - none

 

The value none in the above two emphasized lines blocks everything.

 

Details are below.

 

enableInlineShortcodes

To learn about line 2’s enableInlineShortcodes, see Infinite Ink’s Hugo Shortcodes.

 

exec.allow

The Infinite Ink Hugo project needs lines 5 and 6 because both asciidoctor and pandoc are used as external⁠[3] markup renderers.

None of dart-sass-embedded, go, npx, and postcss are used by the Infinite Ink project so I do not specify these (which are part of Hugo’s default security policy) here.

 

exec.osEnv

Because of Scoop⁠[4] issues, I specify .* (which is a regular expression that matches everything) in line 8. There probably is a less extreme way to solve my Scoop issues and when I figure that out, I’ll write about it in this article.

 

funcs.getenv

Since I have an environment variable named INFINITEINKROOT that I use in Infinite Ink’s Hugo layout files, I specify it in line 11.

Since I do not use any environment variable that starts with HUGO_, I do not specify that here.

 

http.methods and http.urls

Since the Infinite Ink website does not currently use HTTP to get or post remote data, I specify the value none for these config options.⁠

 

See also

Endnotes


1. Many Infinite Ink articles, including this one, are evergreen and regularly updated.
2. This type of YAML block is sometimes called a struct.
3. To learn about Hugo’s built-in and external markup renderers, see Infinite Ink’s Hugo’s Markup Languages: AsciiDoc, HTML, Markdown, Org-mode, Pandoc, and reStructuredText.
4. On Windows, I install and update hugo, pandoc, and ruby with Scoop. To learn about Scoop, see Infinite Ink’s Scoop: A Windows Package Manager (featuring Hugo, Figlet, and Ruby examples).

Comments and questions 📝 🤔 👎 👍

Your public comment or question might immediately improve this page or help me to (eventually) improve this page.