The security configuration file in config/‌_default contains the runtime security settings for Hugo.

The general concept is to restrict Hugo’s access to its surrounding environment — a.k.a. sand-boxing.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
#
# Hugo security settings
#

enableInlineShortcodes: false
exec:
  allow:
    # - ^dart-sass-embedded$
    # - ^go$
    # - ^postcss$
    # - ^npx$ # Needed for postcss
  osEnv:
    - (?i)^(PATH|PATHEXT|APPDATA|TMP|TEMP|TERM)$
funcs:
  getenv:
    - ^HUGO_
http:
  methods:
    - (?i)GET|POST
  urls:
    - .*