Want to optimize the security of your site?
By default, Wowchemy automatically applies awesome security enhancements for you when deploying with Netlify, including:
- ✅ Secured with HTTPS
- ✅ Subresource Integrity (SRI)
- ✅ X-Frame-Options
- ✅ X-XSS-Protection
- ✅ X-Content-Type-Options
- ✅ Referrer-Policy
- ✅ Configurable Content Security Policy
- ✅ Configurable Permissions Policy
If your site does not generate a
public/_headers file, open
config/_default/config.yaml and add
Prevent sites embedding your content
By default, Wowchemy sites are secured to prevent malicious sites embedding your content on their site.
However, if you need to embed a page from your site in a frame, you can opt to allow this in
security: allow_frame: true
Content Security Policy
A Content Security Policy (CSP) is unique to each site. There are a number of third-party tools which can help you to create one.
Define your Content Security Policy in your
security: csp: policy: '' report_only: false
When creating your CSP, remember that some integrations, such as for analytics, can only become activated in production (live sites), and not in a development environment.
A Permissions Policy is unique to each site, influenced by customizations and integrations.
Define your Permissions Policy in
params.yaml. For example:
security: permissions: policy: >- accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()
The security headers are generated to a file named
public/_headers which can be automatically parsed by Netlify.
For other hosts, follow the advice from your provider to apply the security headers.
Wowchemy is a page building framework for Hugo. As such, each site generated is different and features different third-party integrations and customizations. Security audits should be performed to measure how well the security conforms to your criteria and to optimize the security of your specific site.
To avoid sharing variables such as a Google Maps API key in the
params.yaml file of your GitHub repository, you can purposely leave sensitive variables empty and define them in the build environment instead.
The Hugo notation for defining an environment variable is
HUGOxPARAMSx followed by the parameter path, with each part of the path delimited by an
x. Hugo Extended 0.79.1+ is required, so remember to edit the Hugo version in your
netlify.toml if needed.
For example, to define a Google Maps API key privately in your Netlify account, set
HUGOxPARAMSxMAPxAPI_KEY under the Environment section and redeploy your site if necessary.
See the Hugo Docs and Netlify Docs for more details.