Using Hugo to share private posts

I sometime need to share posts with selected readers only, for review or private discussion.

This is precisely the objective of the Hugo theme ‘Off The Record’::

“publish a post and invite chosen readers with a private link – while keeping this post hidden from other visitors”.

A demo is available, and the source code is public.

Installation

Note that Hugo extended > 0.82 is required (Posts are not properly hidden with previous Hugo versions).

Download:

git clone --recurse-submodules https://github.com/RoneoOrg/hugo-offtherecord-demo.git

Run:

cd hugo-offtherecord-demo

hugo serve

How to use

Set offTheRecord to true in the Front Matter of the posts you want to hide.

That’s all!

Example

---
title: "Pending article, for review"
date: 2021-11-22T00:00:03+00:00
offTheRecord: true
---

Update

Update the theme with the following command at the root of your project:

git submodule update --init --recursive --remote

Technical details

Private posts are hidden from:

• the homepage
• the search results
• the RSS feeds
• the archive page
• the sitemap

Search engines are also told not to index these posts.

See the changelog for a commented code tour.

Additional features

This theme is based on Papermod, which provides numerous other features:

• 3 different Homepage layouts
• Multilingual support.
• Multiple Author support.
• Light / Dark theme.
• Search page.
• Carefully optimized code.

See the Papermod Documentation for more info

Caveats

This solution should not be considered secured before checking your threat model with these caveats in mind:

• someone could guess the URL of a private post.
• someone could automatically scan your website to discover these secret URLs.
• an attacker could access your Git repo and read private content directly from the source files. You should use a private repo.

The way you share the link matters too. See:

• “ Gmail is opening and caching URLs within emails without user intervention”.
• “ Outlook scans emails arriving in your inbox and sends all found URLs to Bing”

In addition, Internet actors on the way (hosts, DNS and internet providers) will handle references / parts of your page.

Roadmap

What’s left to do:

• Study these similar projects: 1 1b 1c 2 (see the “ unlisted” option)
• Encrypt the content too: 1
• Check Hugo “Build Options” for relevant features
• Verify the content of schema.json
• Hide private posts from the tags pages and from Hugo series (disabled by default).
• Update Papermod Readme and documentation
• Check if hidden posts are counted in Tags pages total

References

• The original idea comes from this post from zwbetz.
• See also this discussion on discourse.gohugo
• Staled Feature request
• Old thread on discourse.gohugo