Security

Want to optimize the security of your site?

By default, Wowchemy automatically applies awesome security enhancements for you when deploying with Netlify, including:

  • ✅ Secured with HTTPS
  • ✅ Subresource Integrity (SRI)
  • ✅ X-Frame-Options
  • ✅ X-XSS-Protection
  • ✅ X-Content-Type-Options
  • ✅ Referrer-Policy [New in v5.0.0.beta.3]
  • ✅ Configurable Content Security Policy
  • ✅ Configurable Permissions Policy [New in v5.0.0.beta.3]

If your site does not generate a public/_headers file, open config/_default/config.yaml and add "headers" to outputs > home.

Content Security Policy

A Content Security Policy (CSP) is unique to each site. There are a number of third-party tools which can help you to create one.

Define your Content Security Policy in your params.yaml:

security:
  csp:
    policy: ''
    report_only: false

When creating your CSP, remember that some integrations, such as for analytics, can only become activated in production (live sites), and not in a development environment.

Permissions Policy

A Permissions Policy is unique to each site, influenced by customizations and integrations.

Define your Permissions Policy in params.yaml. For example:

security:
  permissions:
    policy: >-
      accelerometer=(), camera=(), geolocation=(), gyroscope=(),
      magnetometer=(), microphone=(), payment=(), usb=()

Compatibility

The security headers are generated to a file named public/_headers which can be automatically parsed by Netlify.

For other hosts, follow the advice from your provider to apply the security headers.

Auditing

Wowchemy is a page building framework for Hugo. As such, each site generated is different and features different third-party integrations and customizations. Security audits should be performed to measure how well the security conforms to your criteria and to optimize the security of your specific site.

Private variables

To avoid sharing variables such as a Google Maps API key in the params.yaml file of your GitHub repository, you can purposely leave sensitive variables empty and define them in the build environment instead.

The Hugo notation for defining an environment variable is HUGOxPARAMSx followed by the parameter path, with each part of the path delimited by an x. Hugo Extended 0.79.1+ is required, so remember to edit the Hugo version in your netlify.toml if needed.

For example, to define a Google Maps API key privately in your Netlify account, set HUGOxPARAMSxMAPxAPI_KEY under the Environment section and redeploy your site if necessary.

See the Hugo Docs and Netlify Docs for more details.

Previous
Next