87de22d746
c43daf45f Update build-options.md 3ebbfedd4 Build options: Improve readability 5091bf6a0 Improve safeHTMLAttr explanation b64cbce2e Fix description of collections.Apply 6ea264b9c netlify: Hugo 0.115.4 b42e7c542 Revert "config: Remove disableLiveReload" 35ce2290e Remove excess spaces in configuration docs 2edf761de Update listed titleCaseStyle default value 887f6fb97 config: Remove disableLiveReload c9f49fb26 Fix typo 37d8569ac Remove tools associated with Atom 871d11b72 Fix URL in postprocess docs bbb17d29f Update GitLab workflow bc53ea5ce Use sentence-style capitalization for headings 7ca578786 netlify: Hugo 0.115.3 c5e010bd0 Merge branch 'tempv0.115.3' c885604bf Remove starter kits page 4c0fe269e Update mention of Netlify CMS to Decap CMS 05067175c Consistently use file name instead of filename 763dd6404 Improve multilingual config example and descriptions e5aa61ec5 Use lowercase when referring to front matter (#2132) 7ba3d0c72 docs: Refresh docs.json de8bddedf Update description of timeout configuration value e1245d9f8 netify: Hugo 0.115.2 153a36bdf Merge branch 'tempv0.115.2' 707cec754 Fix typo in figure example in shortcodes.md 128cbe1e5 Improve taxonomy template examples 4e743ec36 Improve highlight function example f96fa6805 transpile sass: Fixes typo e4a8a21f7 Compile Sass to CSS, not SCSS c1538bd00 docs: Regenerate CLI docs bd4e33436 Add titleCaseStyle none and firstupper 6ff93d478 Update quick-start.md 5c6653cb1 Update build config examples and explanation 1458d9a43 Remove the `url` parameter 6a1e92044 netlify: Hugo 0.115.1 a9d5d6f2f Merge branch 'tempv0.115.1' 4c4882384 docs: Regen docs helper d1aa1c1f5 Add link to PowerShell vs Windows PowerShell documentation 6e3b70c21 Fix link to Git installation instructions 4f8a9ca38 Clarify resources.Copy arguments ee86dd121 Update theme dc7c305cf Update theme 60c23920b Clarify caching for resources.FromString (#2120) 5bf2fef6d netlify: Hugo 0.115.0 46bde87c5 Merge branch 'tempv0.115.0' 42cc48c16 Specify target path caching for resources.ExecuteAsTemplate (#2027) a54bf4cd0 Correct the sample code of mermaid (#2119) 8c49b06fc docs: Update permalinks documentation a4818d99b Page bundles: link to info about single vs. list page templates (#2116) 3fc7744d7 snap: Document removable media access dbd08f58a Update theme df5b88633 netlify: Hugo 0.114.1 6b859834a Fix typo 9ec92cf68 Improve Dart Sass example for Netlify 2d294ece9 Add Dart Sass installation and usage documentation 4c6b77d6c Fix placement of curly braces 897812a50 Update template-debugging.md to include a jsonify example 22bca519b Update GitHub Pages hosting instructions (#2109) a964d93ce Document math functions new in v0.114.0 (#2108) 9f4cb040e netlify: Hugo 0.114.0 55b4d9221 Merge branch 'tempv0.114.0' 93c4dcf93 docs: Regen docshelper 96f03c77f docs: Regen CLI docs 8e22a228a Clarify resource media type variables (#2106) 2652da8d4 Update transform.Unmarshal.md (#2105) 92657177a Update theme 4601c1d65 Update theme a216f3145 Merge commit '3c1deaf201a35de08d23cc58f8f03682cace3349' eed8794f5 cache: Set default cache path based on $USER git-subtree-dir: docs git-subtree-split: c43daf45fdc36c254f4274a0815ea62d4d8c37e0
3.8 KiB
| title | description | layout | keywords | menu | weight | aliases | toc | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Hugo's security model | A summary of Hugo's security model. | single |
|
|
50 |
|
true |
Runtime security
Hugo produces static output, so once built, the runtime is the browser (assuming the output is HTML) and any server (API) that you integrate with.
But when developing and building your site, the runtime is the hugo executable. Securing a runtime can be a real challenge.
Hugo's main approach is that of sandboxing and a security policy with strict defaults:
- Hugo has a virtual file system and only the main project (not third-party components) is allowed to mount directories or files outside the project root.
- Only the main project can walk symbolic links.
- User-defined components have read-only access to the filesystem.
- We shell out to some external binaries to support Asciidoctor and similar, but those binaries and their flags are predefined and disabled by default (see Security Policy). General functions to run arbitrary external OS commands have been discussed, but not implemented because of security concerns.
Security policy
Hugo has a built-in security policy that restricts access to os/exec, remote communication and similar.
The default configuration is listed below. Any build using features not in the allow list of the security policy will fail with a detailed message about what needs to be done. Most of these settings are allow lists (string or slice, Regular Expressions or none which matches nothing).
{{< code-toggle config="security" />}}
Note that these and other configuration settings in Hugo can be overridden by the OS environment. If you want to block all remote HTTP fetching of data:
HUGO_SECURITY_HTTP_URLS=none hugo
Dependency security
Hugo is built as a static binary using Go Modules to manage its dependencies. Go Modules have several safeguards, one of them being the go.sum file. This is a database of the expected cryptographic checksums of all of your dependencies, including transitive dependencies.
Hugo Modules is a feature built on top of the functionality of Go Modules. Like Go Modules, a Hugo project using Hugo Modules will have a go.sum file. We recommend that you commit this file to your version control system. The Hugo build will fail if there is a checksum mismatch, which would be an indication of dependency tampering.
Web application security
These are the security threats as defined by OWASP.
For HTML output, this is the core security model:
https://pkg.go.dev/html/template#hdr-Security_Model
In short:
Template and configuration authors (you) are trusted, but the data you send in is not.
This is why you sometimes need to use the safe functions, such as safeHTML, to avoid escaping of data you know is safe.
There is one exception to the above, as noted in the documentation: If you enable inline shortcodes, you also say that the shortcodes and data handling in content files are trusted, as those macros are treated as pure text.
It may be worth adding that Hugo is a static site generator with no concept of dynamic user input.
For content, the default Markdown renderer is configured to remove or escape potentially unsafe content. This behavior can be reconfigured if you trust your content.