hugo/docs/content/en/about/security-model/index.md

---
title: Hugo's Security Model
description: A summary of Hugo's security model.
date: 2019-10-01
layout: single
keywords: ["Security", "Privacy"]
menu:
  docs:
    parent: "about"
    weight: 4
weight: 5
sections_weight: 5
draft: false
aliases: [/security/]
toc: true
---

## Runtime Security

Hugo produces static output, so once built, the runtime is the browser (assuming the output is HTML) and any server (API) that you integrate with.

But when developing and building your site, the runtime is the `hugo` executable. Securing a runtime can be [a real challenge](https://blog.logrocket.com/how-to-protect-your-node-js-applications-from-malicious-dependencies-5f2e60ea08f9/).

**Hugo's main approach is that of sandboxing:**

* Hugo has a virtual file system and only the main project (not third-party components) is allowed to mount directories or files outside the project root.
* Only the main project can walk symbolic links.
* User-defined components have only read-access to the filesystem.
* We shell out to some external binaries to support [Asciidoctor](/content-management/formats/#list-of-content-formats) and similar, but those binaries and their flags are predefined. General functions to run arbitrary external OS commands have been [discussed](https://github.com/gohugoio/hugo/issues/796), but not implemented because of security concerns.

Hugo will soon introduce a concept of _Content Source Plugins_ (AKA _Pages from Data_), but the above will still hold true.

## Dependency Security

Hugo builds as a static binary using [Go Modules](https://github.com/golang/go/wiki/Modules) to manage its dependencies. Go Modules have several safeguards, one of them being the `go.sum` file. This is a database of the expected cryptographic checksums of all of your dependencies, including any transitive.

[Hugo Modules](/hugo-modules/) is built on top of Go Modules functionality, and a Hugo project using Hugo Modules will have a `go.sum` file. We recommend that you commit this file to your version control system. The Hugo build will fail if there is a checksum mismatch, which would be an indication of [dependency tampering](https://julienrenaux.fr/2019/12/20/github-actions-security-risk/).

## Web Application Security

These are the security threats as defined by [OWASP](https://en.wikipedia.org/wiki/OWASP).

For HTML output, this is the core security model:

https://golang.org/pkg/html/template/#hdr-Security_Model

In short:

Templates authors (you) are trusted, but the data you send in is not.
This is why you sometimes need to use the _safe_ functions, such as `safeHTML`, to avoid escaping of data you know is safe.
There is one exception to the above, as noted in the documentation: If you enable inline shortcodes, you also say that the shortcodes and data handling in content files are trusted, as those macros are treated as pure text.
It may be worth adding that Hugo is a static site generator with no concept of dynamic user input.

For content, the default Markdown renderer is [configured](/getting-started/configuration-markup) to remove or escape potentially unsafe content. This behavior can be reconfigured if you trust your content.
Squashed 'docs/' changes from af4b7ac5b..54f0e8776 54f0e8776 Update image-actions.yml 94e5cad02 Update image-actions.yml 0ad20d226 Add a page about Hugo's Security Model 0dee16d11 Link to Régis Full Partials series 138782808 Update partialCached.md git-subtree-dir: docs git-subtree-split: 54f0e877670fd434c6903e20774fcf7eba9255fa 2019-12-22 16:51:45 -05:00			`---`
			`title: Hugo's Security Model`
Squashed 'docs/' changes from 9be494de3..ac2c4a487 ac2c4a487 Update documentation for Ugly URLs (#1082) 88bdec17a Change 072.0 to 0.72.0 in release post's description 2aa7d7818 Update rss.md (#1104) c80677aeb Update quick-start.md (#1076) d04196bbd Minor spelling and capitalization fixes 837d2feba Fixed spelling mistake 67dc78e12 Update installing.md ce280c5d6 Update relurl.md bb4d0e703 Capitalization and Redirecting URL fixes e1fecada0 Update partials.md 1d99bb182 Typos and whitespacing issues fixed b20dba125 actually fix index function link this time f47d6f1e3 Fixing typos, whitespace issues and links dc82309b9 fix link to the index function 1eab0cbea add missing word (#1130) 9c3ee62ae more fixes e9bc5880a whitespace, typos and HTTPS fixes 93b806493 Add missing word to Module section 80ced9062 Display image on page bundles page. 727029b0a Update index.md 51fc48e4d Release 0.72.0 1ff68ac3b releaser: Add release notes to /docs for release of 0.72.0 f74a25b92 common/maps: Add Scratch.Values 2fd83db96 Add redirect support to the server bdfccf9f4 Fix typo in install instructions e12737ea6 Create SUPPORT.md git-subtree-dir: docs git-subtree-split: ac2c4a4871e90ddfb180f23704ce7ec9023529ca 2020-06-16 08:18:51 -04:00			`description: A summary of Hugo's security model.`
Squashed 'docs/' changes from af4b7ac5b..54f0e8776 54f0e8776 Update image-actions.yml 94e5cad02 Update image-actions.yml 0ad20d226 Add a page about Hugo's Security Model 0dee16d11 Link to Régis Full Partials series 138782808 Update partialCached.md git-subtree-dir: docs git-subtree-split: 54f0e877670fd434c6903e20774fcf7eba9255fa 2019-12-22 16:51:45 -05:00			`date: 2019-10-01`
			`layout: single`
			`keywords: ["Security", "Privacy"]`
			`menu:`
			`docs:`
			`parent: "about"`
			`weight: 4`
			`weight: 5`
			`sections_weight: 5`
			`draft: false`
			`aliases: [/security/]`
			`toc: true`
			`---`

			`## Runtime Security`

			`Hugo produces static output, so once built, the runtime is the browser (assuming the output is HTML) and any server (API) that you integrate with.`

Squashed 'docs/' changes from 9be494de3..ac2c4a487 ac2c4a487 Update documentation for Ugly URLs (#1082) 88bdec17a Change 072.0 to 0.72.0 in release post's description 2aa7d7818 Update rss.md (#1104) c80677aeb Update quick-start.md (#1076) d04196bbd Minor spelling and capitalization fixes 837d2feba Fixed spelling mistake 67dc78e12 Update installing.md ce280c5d6 Update relurl.md bb4d0e703 Capitalization and Redirecting URL fixes e1fecada0 Update partials.md 1d99bb182 Typos and whitespacing issues fixed b20dba125 actually fix index function link this time f47d6f1e3 Fixing typos, whitespace issues and links dc82309b9 fix link to the index function 1eab0cbea add missing word (#1130) 9c3ee62ae more fixes e9bc5880a whitespace, typos and HTTPS fixes 93b806493 Add missing word to Module section 80ced9062 Display image on page bundles page. 727029b0a Update index.md 51fc48e4d Release 0.72.0 1ff68ac3b releaser: Add release notes to /docs for release of 0.72.0 f74a25b92 common/maps: Add Scratch.Values 2fd83db96 Add redirect support to the server bdfccf9f4 Fix typo in install instructions e12737ea6 Create SUPPORT.md git-subtree-dir: docs git-subtree-split: ac2c4a4871e90ddfb180f23704ce7ec9023529ca 2020-06-16 08:18:51 -04:00			But when developing and building your site, the runtime is the `hugo` executable. Securing a runtime can be [a real challenge](https://blog.logrocket.com/how-to-protect-your-node-js-applications-from-malicious-dependencies-5f2e60ea08f9/).
Squashed 'docs/' changes from af4b7ac5b..54f0e8776 54f0e8776 Update image-actions.yml 94e5cad02 Update image-actions.yml 0ad20d226 Add a page about Hugo's Security Model 0dee16d11 Link to Régis Full Partials series 138782808 Update partialCached.md git-subtree-dir: docs git-subtree-split: 54f0e877670fd434c6903e20774fcf7eba9255fa 2019-12-22 16:51:45 -05:00
			`Hugo's main approach is that of sandboxing:`

			`* Hugo has a virtual file system and only the main project (not third-party components) is allowed to mount directories or files outside the project root.`
			`* Only the main project can walk symbolic links.`
			`* User-defined components have only read-access to the filesystem.`
Squashed 'docs/' changes from 19f44e150..ec0abe052 ec0abe052 Update index.md ed44339cd Update bio.md cef04eb95 Minor edits 4d45dcc8d Submitting Digital.gov to the Hugo Showcase d35126af7 Azure uses storage containers, not buckets; edited accordingly. (#1078) 9c249cc89 fix grammatical error 9728699a3 Release Hugo 0.69.2 cccabed0c Merge branch 'temp692' 3d0a740c4 releaser: Add release notes to /docs for release of 0.69.2 b760aceb1 HTTPS external links in docs 49e4631b0 Release 0.69.1 01f3da870 Merge branch 'temp691' 8280d85aa releaser: Add release notes to /docs for release of 0.69.1 40ea44d24 fix typo (#1088) 725f53643 Rebuild cache 80ee1efd9 Add KeyCDN Showcase f253e906e docs: Fix typo in Hugo's Security Model b3ffd1ad3 Mentioning a range is equivalent to foreach (#1086) 0c396911f Update jsonify function docs 376befc9a Fix typo (#1084) 4bdc9bc72 Mark .Page.UniqueID as deprecated and add .File.UniqueID 30a7b7bf2 Update hosting-on-github.md c5db4ba2b Update postprocess.md 1121f74a5 Update install guide with Scoop extended 8988aa6fa Merge branch 'postprocess' 225d3f9c7 Release Hugo 0.69.0 4caf7a89a releaser: Add release notes to /docs for release of 0.69.0 664b2a0fa Document resources.PostProcess and buildStats 9737b34e9 docs: Regen docs helper 0fab3ba24 Merge commit 'da3c3e5fbd0de65f956618cd2e35401460a3cd02' 96dad83b1 Update hosting-on-aws-amplify.md 57eb27897 Merge commit 'c494c37a4523fbf2db6274dc87e0877fd5bec24b' dcc7afef7 fix typo in getting started git-subtree-dir: docs git-subtree-split: ec0abe052bcfebc65c323df4ff14ad277bb405d8 2020-05-06 06:12:21 -04:00			`* We shell out to some external binaries to support [Asciidoctor](/content-management/formats/#list-of-content-formats) and similar, but those binaries and their flags are predefined. General functions to run arbitrary external OS commands have been [discussed](https://github.com/gohugoio/hugo/issues/796), but not implemented because of security concerns.`
Squashed 'docs/' changes from af4b7ac5b..54f0e8776 54f0e8776 Update image-actions.yml 94e5cad02 Update image-actions.yml 0ad20d226 Add a page about Hugo's Security Model 0dee16d11 Link to Régis Full Partials series 138782808 Update partialCached.md git-subtree-dir: docs git-subtree-split: 54f0e877670fd434c6903e20774fcf7eba9255fa 2019-12-22 16:51:45 -05:00
			`Hugo will soon introduce a concept of _Content Source Plugins_ (AKA _Pages from Data_), but the above will still hold true.`

			`## Dependency Security`

			Hugo builds as a static binary using [Go Modules](https://github.com/golang/go/wiki/Modules) to manage its dependencies. Go Modules have several safeguards, one of them being the `go.sum` file. This is a database of the expected cryptographic checksums of all of your dependencies, including any transitive.

			[Hugo Modules](/hugo-modules/) is built on top of Go Modules functionality, and a Hugo project using Hugo Modules will have a `go.sum` file. We recommend that you commit this file to your version control system. The Hugo build will fail if there is a checksum mismatch, which would be an indication of [dependency tampering](https://julienrenaux.fr/2019/12/20/github-actions-security-risk/).

			`## Web Application Security`

			`These are the security threats as defined by [OWASP](https://en.wikipedia.org/wiki/OWASP).`

			`For HTML output, this is the core security model:`

			`https://golang.org/pkg/html/template/#hdr-Security_Model`

			`In short:`

			`Templates authors (you) are trusted, but the data you send in is not.`
			This is why you sometimes need to use the _safe_ functions, such as `safeHTML`, to avoid escaping of data you know is safe.
			`There is one exception to the above, as noted in the documentation: If you enable inline shortcodes, you also say that the shortcodes and data handling in content files are trusted, as those macros are treated as pure text.`
			`It may be worth adding that Hugo is a static site generator with no concept of dynamic user input.`

			`For content, the default Markdown renderer is [configured](/getting-started/configuration-markup) to remove or escape potentially unsafe content. This behavior can be reconfigured if you trust your content.`