Hugo produces static websites with minimal runtime surface. Security is primarily a supply-chain and build/publish pipeline concern.
¶ 1) Protect Secrets and Supply Chain
- Pin Hugo version in CI/CD pipelines
- Verify third-party themes and shortcodes before production use
- Use git submodules or Hugo Modules for theme versioning
- Review theme code for malicious scripts or external calls
- Protect CI/CD publish credentials
- Restrict pipeline write permissions to minimum required
- Use signed commits for content repositories where possible
- Review generated HTML for unsafe raw content or shortcode output
- Deploy with strict security headers at CDN or web server:
- Content Security Policy (CSP)
- HSTS (HTTP Strict Transport Security)
- X-Content-Type-Options: nosniff
- X-Frame-Options: DENY
- Referrer-Policy
- Enforce HTTPS at web server/CDN level
- Disable directory listing on web server
- Sanitize user-generated content before committing
- Review Markdown for embedded scripts or iframes
- Use
unsafe: false in Goldmark renderer (default) unless HTML needed
- Validate external data files (JSON, YAML, CSV)
Apache (.htaccess):
# Security headers
Header always set Content-Security-Policy "default-src 'self'"
Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "DENY"
Header always set X-XSS-Protection "1; mode=block"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
# Disable server signature
ServerSignature Off
Nginx:
# Security headers
add_header Content-Security-Policy "default-src 'self'" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "DENY" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
# Disable server signature
server_tokens off;
- Hugo docs: https://gohugo.io/documentation/
- Hugo source: https://github.com/gohugoio/hugo
- OWASP Static Site Security: https://cheatsheetseries.owasp.org/