summaryrefslogtreecommitdiffstats
path: root/docs/content/en/about/security-model/index.md
diff options
context:
space:
mode:
Diffstat (limited to 'docs/content/en/about/security-model/index.md')
-rw-r--r--docs/content/en/about/security-model/index.md8
1 files changed, 2 insertions, 6 deletions
diff --git a/docs/content/en/about/security-model/index.md b/docs/content/en/about/security-model/index.md
index 461c7fe77..66cb15463 100644
--- a/docs/content/en/about/security-model/index.md
+++ b/docs/content/en/about/security-model/index.md
@@ -10,7 +10,6 @@ menu:
weight: 4
weight: 5
sections_weight: 5
-draft: false
aliases: [/security/]
toc: true
---
@@ -28,11 +27,8 @@ But when developing and building your site, the runtime is the `hugo` executable
* User-defined components have read-only access to the filesystem.
* We shell out to some external binaries to support [Asciidoctor](/content-management/formats/#list-of-content-formats) and similar, but those binaries and their flags are predefined and disabled by default (see [Security Policy](#security-policy)). General functions to run arbitrary external OS commands have been [discussed](https://github.com/gohugoio/hugo/issues/796), but not implemented because of security concerns.
-
## Security Policy
-{{< new-in "0.91.0" >}}
-
Hugo has a built-in security policy that restricts access to [os/exec](https://pkg.go.dev/os/exec), remote communication and similar.
The default configuration is listed below. Any build using features not in the allow list of the security policy will fail with a detailed message about what needs to be done. Most of these settings are allow lists (string or slice, [Regular Expressions](https://pkg.go.dev/regexp) or `none` which matches nothing).
@@ -41,7 +37,7 @@ The default configuration is listed below. Any build using features not in the a
Note that these and other config settings in Hugo can be overridden by the OS environment. If you want to block all remote HTTP fetching of data:
-```
+```txt
HUGO_SECURITY_HTTP_URLS=none hugo
```
@@ -57,7 +53,7 @@ These are the security threats as defined by [OWASP](https://en.wikipedia.org/wi
For HTML output, this is the core security model:
-https://golang.org/pkg/html/template/#hdr-Security_Model
+<https://pkg.go.dev/html/template#hdr-Security_Model>
In short:
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-13 14:57:33 +0000