The Hugo binary runs in a sandbox to offer maximal runtime security while rendering static sites. External dependencies are configured explicitly.

The Hugo project is putting a strong focus on security issues and has outlined its security model at the beginning of the documentation.

Hugo allows invoking external binaries at runtime. When we want to include external content as a module for example, we need to enable the use of the Golang environment, which provides secure handling of dependencies. To generate our CSS with the Dart-Sass preprocessor, we need to call the embedded binary. To post-process our CSS stylesheets we may like to call the PostCSS CLI, which is a node package and includes a lot of other node packages. And it may be convenient to let Hugo call an editor for new content.

Depending on our needs and security concerns we can allow Hugo those calls or don’t. The same for the values of system environment variables or others. All this and more can be configured in the security configuration file security.yaml.

The Perplex theme doesn’t need any additional programs and this project relies on content of my own. So, this documentation project doesn’t allow Hugo to call any other binaries. Because I can’t think of other security risks at runtime, I did not optimize this project configuration further for security and recommend reading the Hugo documentation if you are confronted with them.