Configure security
Configure security.
Hugo’s built-in security policy, which restricts access to os/exec, remote communication, and similar operations, is configured via allowlists. By default, access is restricted. If a build attempts to use a feature not included in the allowlist, it will fail, providing a detailed message.
This is the default security configuration:
security:
enableInlineShortcodes: false
exec:
allow:
- ^(dart-)?sass(-embedded)?$
- ^go$
- ^git$
- ^node$
- ^postcss$
- ^tailwindcss$
osEnv:
- '(?i)^((HTTPS?|NO)_PROXY|PATH(EXT)?|APPDATA|TE?MP|TERM|GO\w+|(XDG_CONFIG_)?HOME|USERPROFILE|SSH_AUTH_SOCK|DISPLAY|LANG|SYSTEMDRIVE|PROGRAMDATA)$'
funcs:
getenv:
- ^HUGO_
- ^CI$
http:
mediaTypes: null
methods:
- (?i)GET|POST
urls:
- (?i)^https?://[a-z0-9]
- '! ^https?://\d+\.'
- '! (?i)localhost'
- '! (?i)^https?://[^/?#]*@'
node:
permissions:
allowAddons:
- tailwindcss
allowChildProcess:
- tailwindcss
allowRead:
- .
allowWorker:
- tailwindcss
allowWrite: []
disable: false
[security]
enableInlineShortcodes = false
[security.exec]
allow = ['^(dart-)?sass(-embedded)?$', '^go$', '^git$', '^node$', '^postcss$', '^tailwindcss$']
osEnv = ['(?i)^((HTTPS?|NO)_PROXY|PATH(EXT)?|APPDATA|TE?MP|TERM|GO\w+|(XDG_CONFIG_)?HOME|USERPROFILE|SSH_AUTH_SOCK|DISPLAY|LANG|SYSTEMDRIVE|PROGRAMDATA)$']
[security.funcs]
getenv = ['^HUGO_', '^CI$']
[security.http]
methods = ['(?i)GET|POST']
urls = ['(?i)^https?://[a-z0-9]', '! ^https?://\d+\.', '! (?i)localhost', '! (?i)^https?://[^/?#]*@']
[security.node]
[security.node.permissions]
allowAddons = ['tailwindcss']
allowChildProcess = ['tailwindcss']
allowRead = ['.']
allowWorker = ['tailwindcss']
allowWrite = []
disable = false
{
"security": {
"enableInlineShortcodes": false,
"exec": {
"allow": [
"^(dart-)?sass(-embedded)?$",
"^go$",
"^git$",
"^node$",
"^postcss$",
"^tailwindcss$"
],
"osEnv": [
"(?i)^((HTTPS?|NO)_PROXY|PATH(EXT)?|APPDATA|TE?MP|TERM|GO\\w+|(XDG_CONFIG_)?HOME|USERPROFILE|SSH_AUTH_SOCK|DISPLAY|LANG|SYSTEMDRIVE|PROGRAMDATA)$"
]
},
"funcs": {
"getenv": [
"^HUGO_",
"^CI$"
]
},
"http": {
"mediaTypes": null,
"methods": [
"(?i)GET|POST"
],
"urls": [
"(?i)^https?://[a-z0-9]",
"! ^https?://\\d+\\.",
"! (?i)localhost",
"! (?i)^https?://[^/?#]*@"
]
},
"node": {
"permissions": {
"allowAddons": [
"tailwindcss"
],
"allowChildProcess": [
"tailwindcss"
],
"allowRead": [
"."
],
"allowWorker": [
"tailwindcss"
],
"allowWrite": [],
"disable": false
}
}
}
}
- enableInlineShortcodes
- (
bool) Whether to enable inline shortcodes. Default isfalse. - exec.allow
- (
[]string) A slice of regular expressions matching the names of external executables that Hugo is allowed to run. - exec.osEnv
- (
[]string) A slice of regular expressions matching the names of operating system environment variables that Hugo is allowed to access. - funcs.getenv
- (
[]string) A slice of regular expressions matching the names of operating system environment variables that Hugo is allowed to access with theos.Getenvfunction. - http.methods
- (
[]string) A slice of regular expressions matching the HTTP methods that theresources.GetRemotefunction is allowed to use. - http.mediaTypes
- (
[]string) Applicable to theresources.GetRemotefunction, a slice of regular expressions matching theContent-Typein HTTP responses that Hugo trusts, bypassing file content analysis for media type detection. - http.urls
- (
[]string) A slice of regular expressions matching the URLs that theresources.GetRemotefunction is allowed to access. - node.permissions.disable
- New in v0.161.0
- (
bool) Whether to disable the Node.js permission model. Whenfalse, Hugo runs Node.js tools with the--permissionflag, restricting their file system and resource access to what is explicitly allowed below. Default isfalse. - node.permissions.allowAddons
- New in v0.161.0
- (
[]string) A slice of Node.js tool names permitted to load native addons (--allow-addons). - node.permissions.allowChildProcess
- New in v0.161.0
- (
[]string) A slice of Node.js tool names permitted to spawn child processes (--allow-child-process). - node.permissions.allowRead
- New in v0.161.0
- (
[]string) A slice of file system paths that Node.js tools are allowed to read (--allow-fs-read). Paths are relative to the working directory;"."means the working directory itself. Use"*"to allow all paths. - node.permissions.allowWorker
- New in v0.161.0
- (
[]string) A slice of Node.js tool names permitted to spawn worker threads (--allow-worker). - node.permissions.allowWrite
- New in v0.161.0
- (
[]string) A slice of file system paths that Node.js tools are allowed to write (--allow-fs-write). Paths are relative to the working directory;"."means the working directory itself. Use"*"to allow all paths.
Negation rules
New in v0.161.0Any pattern in an allowlist can be negated by prefixing it with an exclamation mark (!) and one space to turn it into a deny rule. Deny rules take precedence over allow rules. An allowlist composed entirely of deny rules implicitly allows everything it does not deny. An empty allowlist rejects everything.
For example, to allow all URLs except those pointing to evil.example.com:
[security.http]
urls = ['.*', '! ^https?://evil\.example\.com']Setting an allowlist to the string none will completely disable the associated feature.
Environment variables
You can also override your project configuration with environment variables. For example, to block resources.GetRemote from accessing any URL:
export HUGO_SECURITY_HTTP_URLS=noneLearn more about using environment variables to configure your site.