Security Best Practices

Static sites are inherently more secure than dynamic sites (like WordPress) because there is no database or server-side code to hack. However, there are still best practices to follow.

Best Practices

HTTPS Everywhere

Ensure your site is served over HTTPS. Most hosts (Netlify, GitHub Pages) provide this for free.

Keep Dependencies Updated

Regularly update Hugo and your HugoBlox modules to get the latest security patches.

Sanitize Content

Be careful when embedding third-party scripts or iframes.

Content Security Policy (CSP)

A Content Security Policy (CSP) helps prevent Cross-Site Scripting (CSS) attacks by defining which dynamic resources are allowed to load.

If you are using Netlify, you can define headers in netlify.toml.

netlify.toml

[[headers]]
  for = "/*"
  [headers.values]
    X-Frame-Options = "DENY"
    X-XSS-Protection = "1; mode=block"
    Content-Security-Policy = "default-src 'self'; ..."

注意

CSP configuration can be complex depending on the scripts (Analytics, Maps, Comments) you use.

Private Content

Since Hugo generates static HTML, there is no server-side authentication.

To create private or password-protected pages, you must rely on your hosting provider or a third-party service:

• Netlify Identity: Allows role-based access control (RBAC) for pages.
• Cloudflare Access: Put your entire site (or paths) behind a login.
• Staticman / Decap CMS: Handle authentication for the admin panel.

警告

Do not store sensitive data (API keys, passwords) in your public Git repository or in the generated HTML/JS.