HUGO
News Docs Themes Community GitHub

Configure security

Configure security.

Hugo’s built-in security policy, which restricts access to os/exec, remote communication, and similar operations, is configured via allow lists. By default, access is restricted. If a build attempts to use a feature not included in the allow list, it will fail, providing a detailed message.

This is the default security configuration:

security:
  enableInlineShortcodes: false
  exec:
    allow:
    - ^(dart-)?sass(-embedded)?$
    - ^go$
    - ^git$
    - ^npx$
    - ^postcss$
    - ^tailwindcss$
    osEnv:
    - (?i)^((HTTPS?|NO)_PROXY|PATH(EXT)?|APPDATA|TE?MP|TERM|GO\w+|(XDG_CONFIG_)?HOME|USERPROFILE|SSH_AUTH_SOCK|DISPLAY|LANG|SYSTEMDRIVE)$
  funcs:
    getenv:
    - ^HUGO_
    - ^CI$
  http:
    mediaTypes: null
    methods:
    - (?i)GET|POST
    urls:
    - .*

[security]
  enableInlineShortcodes = false
  [security.exec]
    allow = ['^(dart-)?sass(-embedded)?$', '^go$', '^git$', '^npx$', '^postcss$', '^tailwindcss$']
    osEnv = ['(?i)^((HTTPS?|NO)_PROXY|PATH(EXT)?|APPDATA|TE?MP|TERM|GO\w+|(XDG_CONFIG_)?HOME|USERPROFILE|SSH_AUTH_SOCK|DISPLAY|LANG|SYSTEMDRIVE)$']
  [security.funcs]
    getenv = ['^HUGO_', '^CI$']
  [security.http]
    methods = ['(?i)GET|POST']
    urls = ['.*']

{
   "security": {
      "enableInlineShortcodes": false,
      "exec": {
         "allow": [
            "^(dart-)?sass(-embedded)?$",
            "^go$",
            "^git$",
            "^npx$",
            "^postcss$",
            "^tailwindcss$"
         ],
         "osEnv": [
            "(?i)^((HTTPS?|NO)_PROXY|PATH(EXT)?|APPDATA|TE?MP|TERM|GO\\w+|(XDG_CONFIG_)?HOME|USERPROFILE|SSH_AUTH_SOCK|DISPLAY|LANG|SYSTEMDRIVE)$"
         ]
      },
      "funcs": {
         "getenv": [
            "^HUGO_",
            "^CI$"
         ]
      },
      "http": {
         "mediaTypes": null,
         "methods": [
            "(?i)GET|POST"
         ],
         "urls": [
            ".*"
         ]
      }
   }
}
enableInlineShortcodes
(bool) Whether to enable inline shortcodes. Default is false.
exec.allow
([]string) A slice of regular expressions matching the names of external executables that Hugo is allowed to run.
exec.osEnv
([]string) A slice of regular expressions matching the names of operating system environment variables that Hugo is allowed to access.
funcs.getenv
([]string) A slice of regular expressions matching the names of operating system environment variables that Hugo is allowed to access with the os.Getenv function.
http.methods
([]string) A slice of regular expressions matching the HTTP methods that the resources.GetRemote function is allowed to use.
http.mediaTypes
([]string) Applicable to the resources.GetRemote function, a slice of regular expressions matching the Content-Type in HTTP responses that Hugo trusts, bypassing file content analysis for media type detection.
http.urls
([]string) A slice of regular expressions matching the URLs that the resources.GetRemote function is allowed to access.

Setting an allow list to the string none will completely disable the associated feature.

You can also override the site configuration with environment variables. For example, to block resources.GetRemote from accessing any URL:

export HUGO_SECURITY_HTTP_URLS=none

Learn more about using environment variables to configure your site.

Last updated: March 5, 2025 : content: Consolidate configuration documentation (b6cae5cbc)
Improve this page