Skip to content

🔒 Security

Want to optimize the security of your site?

Hugo Blox creates highly secure sites, automatically applying the latest security best practices for you, including:

  • ✅ Secured with HTTPS
  • ✅ Subresource Integrity (SRI)
  • ✅ X-Frame-Options
  • ✅ X-XSS-Protection
  • ✅ X-Content-Type-Options
  • ✅ Referrer-Policy
  • ✅ Configurable Content Security Policy
  • ✅ Configurable Permissions Policy


If your site is hosted with Netlify and does not generate a public/_headers file, open config/_default/hugo.yaml and add "headers" to outputs > home.

Prevent sites embedding your content

By default, Hugo Blox sites are secured to prevent malicious sites embedding your content on their site.

However, if you need to embed a page from your site in a frame, you can opt to allow this in params.yaml:

allow_frame: true

Content Security Policy

A Content Security Policy (CSP) is unique to each site. There are a number of third-party tools which can help you to create one.

Define your Content Security Policy in your params.yaml:

policy: ''
report_only: false

When creating your CSP, remember that some integrations, such as for analytics, can only become activated in production (live sites), and not in a development environment.

Permissions Policy

A Permissions Policy is unique to each site, influenced by customizations and integrations.

Define your Permissions Policy in params.yaml. For example:

policy: >-
accelerometer=(), camera=(), geolocation=(), gyroscope=(),
magnetometer=(), microphone=(), payment=(), usb=()


The security headers are generated to a file named public/_headers which can be automatically parsed by Netlify.

For other hosts, follow the advice from your provider to apply the security headers.


Hugo Blox is a page building framework for Hugo. As such, each site generated is different and features different third-party integrations and customizations. Security audits should be performed to measure how well the security conforms to your criteria and to optimize the security of your specific site.

Private variables

To avoid sharing variables such as a Google Maps API key in the params.yaml file of your GitHub repository, you can purposely leave sensitive variables empty and define them in the build environment instead.

The Hugo notation for defining an environment variable is HUGOxPARAMSx followed by the parameter path, with each part of the path delimited by an x.

For example, to define a Google Maps API key privately in your Netlify account, set HUGOxPARAMSxMAPxAPI_KEY under the Environment section and redeploy your site if necessary.

See the Hugo Docs and Netlify Docs for more details.