Want to optimize the security of your site?
By default, Wowchemy automatically applies awesome security enhancements for you when deploying with Netlify, including:
- ✅ Secured with HTTPS
- ✅ Subresource Integrity (SRI)
- ✅ X-Frame-Options
- ✅ X-XSS-Protection
- ✅ X-Content-Type-Options
- ✅ Referrer-Policy [New in v5.0.0.beta.3]
- ✅ Configurable Content Security Policy
- ✅ Configurable Permissions Policy [New in v5.0.0.beta.3]
If your site does not generate a
public/_headers file, open
config/_default/config.yaml and add
Content Security Policy
Define your Content Security Policy in your
security: csp: policy: '' report_only: false
When creating your CSP, remember that some integrations, such as for analytics, can only become activated in production (live sites), and not in a development environment.
A Permissions Policy is unique to each site, influenced by customizations and integrations.
Define your Permissions Policy in
params.yaml. For example:
security: permissions: policy: >- accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()
The security headers are generated to a file named
public/_headers which can be automatically parsed by Netlify.
For other hosts, follow the advice from your provider to apply the security headers.
Wowchemy is a page building framework for Hugo. As such, each site generated is different and features different third-party integrations and customizations. Security audits should be performed to measure how well the security conforms to your criteria and to optimize the security of your specific site.
To avoid sharing variables such as a Google Maps API key in the
params.yaml file of your GitHub repository, you can purposely leave sensitive variables empty and define them in the build environment instead.
The Hugo notation for defining an environment variable is
HUGOxPARAMSx followed by the parameter path, with each part of the path delimited by an
x. Hugo Extended 0.79.1+ is required, so remember to edit the Hugo version in your
netlify.toml if needed.
For example, to define a Google Maps API key privately in your Netlify account, set
HUGOxPARAMSxMAPxAPI_KEY under the Environment section and redeploy your site if necessary.