This module adds a security.txt file to your Hugo website with information about your preferred procedures to notify the developer team of your website about security issues on your website. Read more about security.txt, a proposed standard which allows websites to define security policies.

Please note, that security.txt is still in the early stages of development and changes might occur. This module will implement all changes and notify you in the hugo.log about (possibly future) missing configuration steps, if they occur.

This module DOES NOT make your website more secure. Just in case you were assuming that 😸

Add this module
path = ""
disable = false
ignoreConfig = false
ignoreImports = false
Latest Version (--)
Fix to this version
hugo mod get[email protected]

Some things you need to know

These are notes about conventions in this You might want to make yourself acquainted with them if this is your first visit.

The following documentation will refer to all configuration parameters in TOML format and with the assumption of a configuration file for your project at /config.toml. There are various formats of configurations (TOML/YAML/JSON) and multiple locations your configuration can reside (config file or config directory). Note that in the case of a config directory the section headers of all samples need to have the respective section title removed. So [params.dnb.something] will become [dnb.something] if the configuration is done in the file /config/$CONFIGNAME/params.toml.


First enable modules in your own repository if you did not already have done so:

1hugo mod init

Then add this module to your required modules in config.toml.

4path = ""
5disable = false
6ignoreConfig = false
7ignoreImports = false

The next time you run hugo it will download the latest version of the module.


1# update this module
2hugo mod get -u
3# update to a specific version
4hugo mod get -u[email protected]
5# update all modules recursively over the whole project
6hugo mod get -u ./...


Install this plugin, then add your configuration to The following configuration parameters are available and correspond to the values in security.txt:

 2intro = "Information related to reporting security vulnerabilities of this site."
 3contact = ""
 4expires = 365
 5encryption = ""
 6acknowledgements = ""
 7languages = "en"
 8canonical = ""
 9policy = ""
10hiring = ""

The values in this sample display the default configuration. The only required parameters are contact and expires (the latter being set to 365 days = 1 year by default). So the following configuration would be minimal and within the scope of the requirements:

2contact = ""

The module will warn you in the CLI log if this parameter is missing.

Example Implementations

A few real-world implementation examples of security.txt

… and a few websites that are using hugo-security: