We actively maintain and provide security updates for the following versions:
| Version | Hugo Version | Supported | Status |
|---|---|---|---|
| 0.4.x | >= 0.147.7 | ✅ | Latest (Alpha) |
| 0.3.x | 0.112.0 ~ 0.146.0 | ✅ | Stable |
| Version | Hugo Version | LoveIt Compatibility | Supported |
|---|---|---|---|
| 0.1.x | Unknown | ✅ | ❌ |
| 0.2.x | 0.62.0 ~ 0.110.0 | ✅ | ❌ |
- Content Security Policy (CSP) support
- Subresource Integrity (SRI) for external resources
- XSS protection through Hugo's built-in escaping
- Safe HTML rendering with configurable markup
- Secure defaults for all theme configurations
- Keep Hugo Updated: Always use the latest stable Hugo version
- Regular Updates: Update the theme regularly to get security patches
- Content Validation: Validate user-generated content before publishing
- HTTPS Only: Always deploy sites with HTTPS enabled
- External CDN resources should be reviewed before enabling
- User-generated content requires proper sanitization
- Third-party integrations (comments, analytics) should be configured securely
We take security seriously and appreciate your help in keeping FixIt secure.
- Create an Issue: Report vulnerabilities at https://github.com/hugo-fixit/FixIt/issues
- Private Disclosure: For sensitive security issues, email the maintainers directly
- Include Details: Provide clear steps to reproduce the vulnerability
- Description: Clear description of the vulnerability
- Impact: Potential impact and severity
- Reproduction: Step-by-step instructions to reproduce
- Environment: Hugo version, theme version, and platform details
- Solution: Suggested fix if you have one
- Acknowledgment: Within 48 hours
- Initial Assessment: Within 1 week
- Status Updates: Weekly updates on progress
- Resolution: Security fixes are prioritized and released as soon as possible
- We follow responsible disclosure practices
- We will coordinate with you on the disclosure timeline