Want to optimize the security of your site?
Hugo Blox creates highly secure sites, automatically applying the latest security best practices for you, including:
- ✅ Secured with HTTPS
- ✅ Subresource Integrity (SRI)
- ✅ X-Frame-Options
- ✅ X-XSS-Protection
- ✅ X-Content-Type-Options
- ✅ Referrer-Policy
- ✅ Configurable Content Security Policy
- ✅ Configurable Permissions Policy
If your site is hosted with Netlify and does not generate a
public/_headers file, open
config/_default/hugo.yaml and add
Prevent sites embedding your content
By default, Hugo Blox sites are secured to prevent malicious sites embedding your content on their site.
However, if you need to embed a page from your site in a frame, you can opt to allow this in
Content Security Policy
Define your Content Security Policy in your
When creating your CSP, remember that some integrations, such as for analytics, can only become activated in production (live sites), and not in a development environment.
A Permissions Policy is unique to each site, influenced by customizations and integrations.
Define your Permissions Policy in
params.yaml. For example:
The security headers are generated to a file named
public/_headers which can be automatically parsed by Netlify.
For other hosts, follow the advice from your provider to apply the security headers.
Hugo Blox is a page building framework for Hugo. As such, each site generated is different and features different third-party integrations and customizations. Security audits should be performed to measure how well the security conforms to your criteria and to optimize the security of your specific site.
To avoid sharing variables such as a Google Maps API key in the
params.yaml file of your GitHub repository, you can purposely leave sensitive variables empty and define them in the build environment instead.
The Hugo notation for defining an environment variable is
HUGOxPARAMSx followed by the parameter path, with each part of the path delimited by an
For example, to define a Google Maps API key privately in your Netlify account, set
HUGOxPARAMSxMAPxAPI_KEY under the Environment section and redeploy your site if necessary.