Configuring Security in Hugo (featuring settings needed to use Asciidoctor and Pandoc)
Updated 2022-June-18

Page contents

News
Introduction
Default config.yaml security block
Infinite Ink’s config.yaml security block
See also
Endnotes

News

Ongoing According to Repology, the latest packaged Hugo is version . To keep up with Hugo releases, see github.com/gohugoio/hugo/releases, discourse.gohugo.io/c/announcements, or twitter.com/@GoHugoIO.

2021-December-30 Published this evolving⁠^[1] article.

Introduction

In Hugo v0.91.0 and newer, you can specify a security policy in a project’s config file. Details are at gohugo.io/about/security-model/.

Default config.yaml security block

In Hugo v0.94.2, the following is the default config.yaml security block (aka struct).

security:
  enableInlineShortcodes: false
  exec:
    allow:
    - ^dart-sass-embedded$
    - ^go$
    - ^npx$
    - ^postcss$
    osEnv:
    - (?i)^(PATH|PATHEXT|APPDATA|TMP|TEMP|TERM)$
  funcs:
    getenv:
    - ^HUGO_
  http:
    methods:
    - (?i)GET|POST
    urls:
    - .*

To view your Hugo project’s current security settings, run one of the following from the root of your project.

hugo config
hugo config | more
hugo config | less
hugo config | grep security

To view the most up-to-date default security block, go to gohugo.io/about/security-model/#security-policy.

Infinite Ink’s config.yaml security block

For Infinite Ink’s Hugo project, I’ve changed some of the above default security settings to the following.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
security:
  enableInlineShortcodes: true
  exec:
    allow:
    - ^asciidoctor
    - ^pandoc
    osEnv:
    - .*
  funcs:
    getenv:
    - ^INFINITEINKROOT$

Details are below.

`enableInlineShortcodes`

To learn about line 2’s enableInlineShortcodes, see Infinite Ink’s Hugo Shortcodes.

`exec.allow`

The Infinite Ink Hugo project needs lines 5 and 6 because both asciidoctor and pandoc are used as external⁠^[2] markup renderers.

None of dart-sass-embedded, go, npx, and postcss are used by the Infinite Ink project so I do not specify these (which are part of Hugo’s default security policy) here.

Because of Scoop⁠^[3] issues, I specify .* (which is a regular expression that matches everything) in line 8. There probably is a less extreme way to solve my Scoop issues and when I figure that out, I’ll write about it in this article.

`funcs.getenv`

Since I have an environment variable named INFINITEINKROOT that I use in Infinite Ink’s Hugo layout files, I specify it in line 11.

Since I do not use any environment variable that starts with HUGO_, I do not specify that here.⁠ ◊

Endnotes

1. Many Infinite Ink articles, including this one, are evergreen and regularly updated.

2. To learn about Hugo’s built-in and external markup renderers, see Infinite Ink’s Hugo’s Markup Languages: AsciiDoc, HTML, Markdown, Org-mode, Pandoc, and reStructuredText.

3. On Windows, I install and update hugo, pandoc, and ruby with Scoop. To learn about Scoop, see Infinite Ink’s Scoop: A Windows Package Manager (featuring Hugo, Figlet, and Ruby+Asciidoctor examples).

Comments and questions 📝 🤔 👎 👍

Your public comment or question might immediately improve this page or help me to (eventually) improve this page.

💡	To view or post comments, enable JavaScript in your web browser.

Configuring Security in Hugo (featuring settings needed to use Asciidoctor and Pandoc) Updated 2022-June-18

Configuring Security in Hugo (featuring settings needed to use Asciidoctor and Pandoc)
Updated 2022-June-18