Security

Security v1.1.3

This module adds a security.txt file to your Hugo website with information about your preferred procedures to notify the developer team of your website about security issues on your website. Read more about security.txt, a proposed standard which allows websites to define security policies.

Please note, that security.txt is still in the early stages of development and changes might occur. This module will implement all changes and notify you in the hugo.log about (possibly future) missing configuration steps, if they occur.

This module DOES NOT make your website more secure. Just in case you were assuming that 😸

Add this module
[[module.imports]]
path = "github.com/davidsneighbour/hugo-security"
disable = false
ignoreConfig = false
ignoreImports = false
Latest Version v1.1.3 (2022-08-25)
Fix to this version
hugo mod get github.com/davidsneighbour/[email protected]

Usage

Install this plugin, then add your configuration to params.dnb.security.txt. The following configuration parameters are available and correspond to the values in security.txt:

 1[dnb]
 2  [dnb.security]
 3    [dnb.security.txt]
 4      acknowledgements = ''
 5      canonical = ''
 6      contact = ''
 7      encryption = ''
 8      expires = 365
 9      hiring = ''
10      intro = 'Information related to reporting security vulnerabilities of this site.'
11      languages = 'en'
12      policy = ''
 1dnb:
 2  security:
 3    txt:
 4      acknowledgements: ""
 5      canonical: ""
 6      contact: ""
 7      encryption: ""
 8      expires: 365
 9      hiring: ""
10      intro: Information related to reporting security vulnerabilities of this site.
11      languages: en
12      policy: ""
 1{
 2   "dnb": {
 3      "security": {
 4         "txt": {
 5            "acknowledgements": "",
 6            "canonical": "",
 7            "contact": "",
 8            "encryption": "",
 9            "expires": 365,
10            "hiring": "",
11            "intro": "Information related to reporting security vulnerabilities of this site.",
12            "languages": "en",
13            "policy": ""
14         }
15      }
16   }
17}

The values in this sample display the default configuration. The only required parameters are contact and expires (the latter being set to 365 days = 1 year by default). So the following configuration would be minimal and within the scope of the requirements:

1[dnb]
2  [dnb.security]
3    [dnb.security.txt]
4      contact = 'https://yourwebsite.com/contact/'
1dnb:
2  security:
3    txt:
4      contact: https://yourwebsite.com/contact/
1{
2   "dnb": {
3      "security": {
4         "txt": {
5            "contact": "https://yourwebsite.com/contact/"
6         }
7      }
8   }
9}

The module will warn you in the CLI log if this parameter is missing.

Example Implementations

A few real-world implementation examples of security.txt

… and a few websites that are using hugo-security: